CVE-2025-61413
📋 TL;DR
A stored cross-site scripting vulnerability in Piranha CMS v12.0 allows authenticated attackers to inject malicious scripts into Markdown blocks when creating pages. This affects all Piranha CMS v12.0 installations with the /manager/pages component enabled. Attackers can execute arbitrary JavaScript in victims' browsers when they view the compromised pages.
💻 Affected Systems
- Piranha CMS
📦 What is this software?
Piranha Cms by Dotnetfoundation
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise if admin privileges are obtained.
Likely Case
Attackers with CMS editor access inject malicious scripts that execute when users view affected pages, potentially stealing session tokens or performing actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to create/edit pages. The vulnerability is in stored XSS, meaning payloads persist and affect all users viewing the compromised pages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v12.0.1 or later
Vendor Advisory: https://github.com/PiranhaCMS/piranha.core/releases
Restart Required: No
Instructions:
1. Backup your current installation. 2. Update Piranha CMS to version 12.0.1 or later via package manager or manual download. 3. Verify the update completed successfully. 4. Test page creation functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize Markdown content before storage
Implement custom middleware or modify page creation logic to strip/escape script tags and JavaScript events
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' header to web.config or equivalent
🧯 If You Can't Patch
- Restrict access to /manager/pages component to trusted administrators only
- Implement web application firewall rules to block XSS payload patterns
🔍 How to Verify
Check if Vulnerable:
Check if you can create a page with Markdown containing <script>alert('XSS')</script> and see if it executes when viewing the pageCheck Version:
Check the CMS version in admin panel or examine package.json/assembly versionVerify Fix Applied:
After patching, attempt the same XSS payload and verify it's rendered as plain text rather than executed📡 Detection & Monitoring
Log Indicators:
- Unusual page creation/modification patterns
- Markdown content containing script tags or JavaScript events
- Multiple failed login attempts followed by page creation
Network Indicators:
- HTTP requests with suspicious payloads in page content parameters
- Unexpected outbound connections from CMS to external domains
SIEM Query:
source="web_logs" AND (uri="/manager/pages" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))