CVE-2025-64048 – YCCMS 3.4 contains a stored XSS vulnerability i... (How to Fix)

📋 TL;DR

YCCMS 3.4 contains a stored XSS vulnerability in article management that allows attackers to inject malicious scripts into article titles. When other users view articles with these titles, the scripts execute in their browsers. This affects all YCCMS 3.4 installations with article management functionality.

💻 Affected Systems

Products:

YCCMS

Versions: 3.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with article management functionality enabled.

📦 What is this software?

Yccms by Yccms

View all CVEs affecting Yccms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over admin accounts, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers inject malicious scripts that steal user session cookies or credentials when users view articles, leading to account takeover and unauthorized access.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to article management functionality, typically requiring at least contributor-level permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://yccms.com

Restart Required: No

Instructions:

1. Check vendor website for security updates
2. Apply any available patches
3. Verify fix by testing article title input validation

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation on article title field and encode output before displaying

Modify ArticleAction.class.php to sanitize user input in add() and getPost() functions

🧯 If You Can't Patch

Disable article management functionality if not required
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Test by entering XSS payload in article title field (e.g., <script>alert('XSS')</script>) and check if it executes when viewing articles

Check Version:

Check YCCMS version in admin panel or configuration files

Verify Fix Applied:

Test with same XSS payloads and verify they are properly sanitized and don't execute

📡 Detection & Monitoring

Log Indicators:

Unusual article creation/modification patterns
Suspicious characters in article titles

Network Indicators:

Requests containing XSS payloads in POST parameters

SIEM Query:

search 'article' AND ('<script>' OR 'javascript:' OR 'onload=' OR 'onerror=')

📊 Metadata

CVE ID: CVE-2025-64048

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.8th percentile)

Published: November 24, 2025

Last Updated: December 1, 2025

🔗 References

http://yccms.com Broken Link
https://gist.github.com/b1uel0n3/8354650e683ffb0812bfe72b702b482d Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64048, you might also want to check these: