CVE-2025-54172 – QuickCMS is vulnerable to stored cross-site scr... (How to Fix)

Q: What is the severity of CVE-2025-54172?

CVE-2025-54172 has a CVSS score of 4.8 (MEDIUM). QuickCMS is vulnerable to stored cross-site scripting (XSS) in the sTitle parameter of the page editor functionality. An attacker with admin privileges can inject malicious HTML and JavaScript that executes when users visit the edited page. This affects QuickCMS installations where admin accounts could be compromised or misused.

📋 TL;DR

QuickCMS is vulnerable to stored cross-site scripting (XSS) in the sTitle parameter of the page editor functionality. An attacker with admin privileges can inject malicious HTML and JavaScript that executes when users visit the edited page. This affects QuickCMS installations where admin accounts could be compromised or misused.

💻 Affected Systems

Products:

QuickCMS

Versions: 6.8 (confirmed), other versions potentially affected

Operating Systems: All platforms running QuickCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin privileges to exploit. Regular admin users cannot inject scripts according to description.

📦 What is this software?

Quick Cms by Opensolution

View all CVEs affecting Quick Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Compromised admin account leads to complete website takeover, credential theft from visitors, malware distribution, or defacement.

🟠

Likely Case

Malicious admin injects tracking scripts, redirects, or defaces specific pages affecting user trust.

🟢

If Mitigated

With proper admin account security and input validation, impact is limited to minor content manipulation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires admin access. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: https://opensolution.org/cms-system-quick-cms.html

Restart Required: No

Instructions:

Check vendor website for updates. Since vendor hasn't responded, consider workarounds or alternative CMS.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side filtering of HTML/JS in sTitle parameter

Implement input sanitization in page editor backend code

Content Security Policy

all

Implement CSP headers to restrict script execution

Add Content-Security-Policy header to web server configuration

🧯 If You Can't Patch

Restrict admin account access to trusted personnel only
Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test if HTML/JS can be injected via sTitle parameter in page editor with admin account

Check Version:

Check QuickCMS version in admin panel or configuration files

Verify Fix Applied:

Verify injected scripts no longer execute when visiting edited pages

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity in page editor
Suspicious HTML/JS patterns in page titles

Network Indicators:

Unexpected script loads from edited pages

SIEM Query:

admin_user:* AND action:"edit_page" AND (title:*<script* OR title:*javascript:* OR title:*onclick*)

📊 Metadata

CVE ID: CVE-2025-54172

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (5.3th percentile)

Published: August 20, 2025

Last Updated: September 8, 2025

🔗 References

https://cert.pl/en/posts/2025/08/CVE-2025-54172 Third Party Advisory
https://opensolution.org/cms-system-quick-cms.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54172, you might also want to check these: