CVE-2025-54544 – QuickCMS versions including 6.8 are vulnerable ... (How to Fix)

Q: What is the severity of CVE-2025-54544?

CVE-2025-54544 has a CVSS score of 4.8 (MEDIUM). QuickCMS versions including 6.8 are vulnerable to stored cross-site scripting (XSS) via the aDirFilesDescriptions parameter in the files editor. An attacker with admin privileges can inject malicious HTML/JavaScript that executes when users visit affected pages. This primarily affects QuickCMS administrators who could be tricked into executing malicious code.

📋 TL;DR

QuickCMS versions including 6.8 are vulnerable to stored cross-site scripting (XSS) via the aDirFilesDescriptions parameter in the files editor. An attacker with admin privileges can inject malicious HTML/JavaScript that executes when users visit affected pages. This primarily affects QuickCMS administrators who could be tricked into executing malicious code.

💻 Affected Systems

Products:

QuickCMS

Versions: 6.8 confirmed vulnerable; other versions may be vulnerable but untested

Operating Systems: All platforms running QuickCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin privileges to exploit; default admin user cannot normally add JavaScript but this vulnerability bypasses that restriction.

📦 What is this software?

Quick Cms by Opensolution

View all CVEs affecting Quick Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website compromise through session hijacking, credential theft, defacement, or malware distribution to all visitors.

🟠

Likely Case

Limited impact since it requires admin privileges; most likely used for defacement or targeted attacks against specific users.

🟢

If Mitigated

Minimal impact with proper admin account security and content validation in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials; simple injection via files editor parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Monitor vendor channels for updates.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize aDirFilesDescriptions parameter

Implement HTML/JavaScript sanitization in files editor processing code

Content Security Policy

all

Implement strict CSP headers to prevent script execution

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers

🧯 If You Can't Patch

Restrict admin access to trusted users only with strong authentication
Implement web application firewall rules to block XSS payloads in aDirFilesDescriptions parameter

🔍 How to Verify

Check if Vulnerable:

Test if HTML/JavaScript in aDirFilesDescriptions parameter persists and executes when viewing edited pages

Check Version:

Check QuickCMS version in admin panel or configuration files

Verify Fix Applied:

Verify that injected scripts are properly sanitized and do not execute

📡 Detection & Monitoring

Log Indicators:

Unusual file edit activity by admin users
Suspicious strings in aDirFilesDescriptions parameter

Network Indicators:

HTTP requests with script tags or JavaScript in aDirFilesDescriptions parameter

SIEM Query:

Search for 'aDirFilesDescriptions' containing script tags or JavaScript patterns in web logs

📊 Metadata

CVE ID: CVE-2025-54544

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (5.3th percentile)

Published: August 28, 2025

Last Updated: September 8, 2025

🔗 References

https://cert.pl/posts/2025/08/CVE-2025-54540 Third Party Advisory
https://opensolution.org Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54544, you might also want to check these: