CVE-2025-52035
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in NotesCMS allows attackers to inject malicious scripts into the title field of service descriptions via the /index.php?route=notes page. This vulnerability affects all NotesCMS instances running versions between commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (May 8, 2024) and commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (March 31, 2025). Attackers can execute arbitrary JavaScript in victims' browsers when they view the compromised service descriptions.
💻 Affected Systems
- NotesCMS
📦 What is this software?
Notescms by Exe System
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or install malware through drive-by downloads.
Likely Case
Session hijacking, credential theft, defacement of service descriptions, or redirection to phishing pages.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers, input validation, and output encoding in place.
🎯 Exploit Status
Exploitation requires the ability to create or edit service descriptions, which typically requires authentication. The attack is stored/persistent, affecting all users who view the compromised content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 95322c5121dbd7070f3bd54f2848079654a0a8ea or later
Vendor Advisory: https://github.com/PrivateAccount/NotesCMS/issues/2
Restart Required: No
Instructions:
1. Update NotesCMS to commit 95322c5121dbd7070f3bd54f2848079654a0a8ea or later. 2. Pull the latest changes from the repository. 3. Verify the fix by checking that the title field properly sanitizes HTML/JavaScript input.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd a restrictive CSP header to prevent execution of inline scripts and unauthorized sources.
Add to web server configuration: Content-Security-Policy: default-src 'self'; script-src 'self'
Input Validation Filter
allAdd server-side validation to reject or sanitize HTML/JavaScript in title fields.
Implement PHP filter: $title = htmlspecialchars($_POST['title'], ENT_QUOTES, 'UTF-8');
🧯 If You Can't Patch
- Disable or restrict access to the /index.php?route=notes page using web server rules or application firewalls.
- Implement strict output encoding for all user-controlled data displayed in the application.
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject a simple XSS payload like <script>alert('XSS')</script> into the title field of a service description and check if it executes when viewed.Check Version:
Check git commit hash: git log --oneline -1Verify Fix Applied:
After patching, attempt the same XSS injection test and verify that the payload is properly sanitized (displayed as plain text, not executed).📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /index.php?route=notes with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful access to notes functionality
Network Indicators:
- HTTP requests containing script tags or JavaScript code in title parameters
- Outbound connections to suspicious domains from the NotesCMS server
SIEM Query:
source="web_logs" AND (url="/index.php?route=notes" AND (param="title" CONTAINS "<script>" OR param="title" CONTAINS "javascript:"))