Login Sign Up

CVE-2025-5013

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the search functionality of HkCms. When users view search results containing the manipulated keyword parameter, their browsers execute the attacker's code. All HkCms installations up to version 2.3.2.240702 with the search feature enabled are affected.

💻 Affected Systems

Products:
  • HkCms
Versions: up to 2.3.2.240702
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The search component must be enabled and accessible, which is typically the default configuration.

📦 What is this software?

Hkcms by Hkcms

View all CVEs affecting Hkcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users if combined with other vulnerabilities.

🟠

Likely Case

Attackers inject malicious scripts that steal user session data or display phishing content to users viewing search results.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit has been publicly disclosed and requires minimal technical skill to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://gitee.com/Hk_Cms/HkCms/issues/IBZ2G7

Restart Required: No

Instructions:

Check the vendor repository for updates. If a patch is released, update HkCms to the latest version following standard CMS update procedures.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the 'keyword' parameter before processing.

Modify /index.php/search/index.html to validate and sanitize user input

Output Encoding

all

Apply proper output encoding when displaying search results to prevent script execution.

Implement HTML entity encoding for all user-controlled output in search results

🧯 If You Can't Patch

  • Disable the search functionality if not essential
  • Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test by submitting a search with a payload like <script>alert('XSS')</script> in the keyword parameter and check if it executes.

Check Version:

Check the CMS version in the admin panel or configuration files

Verify Fix Applied:

After implementing fixes, repeat the test payload to confirm scripts are no longer executed.

📡 Detection & Monitoring

Log Indicators:

  • Unusual search queries containing script tags or JavaScript code
  • Multiple failed search attempts with malicious patterns

Network Indicators:

  • HTTP requests to /index.php/search/index.html with suspicious parameters

SIEM Query:

source="web_server" AND uri_path="/index.php/search/index.html" AND (query_string CONTAINS "<script>" OR query_string CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-5013
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (12.1th percentile)
Published: May 21, 2025
Last Updated: June 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5013, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)