CVE-2025-66686
📋 TL;DR
A stored XSS vulnerability in Perch CMS 3.2 allows authenticated administrators to inject malicious JavaScript into the Help button URL setting. When other authenticated users click the Help button, the script executes, potentially compromising their sessions. This affects all Perch CMS 3.2 installations with administrative users.
💻 Affected Systems
- Perch CMS
📦 What is this software?
Perch by Grabaperch
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could hijack other admin sessions, steal credentials, escalate privileges to full system control, or perform unauthorized administrative actions leading to complete system compromise.
Likely Case
Session hijacking of other authenticated users, information disclosure from admin panels, and potential privilege escalation within the CMS.
If Mitigated
Limited impact with proper input validation and output encoding, though stored XSS could still affect users who click the Help button.
🎯 Exploit Status
Exploitation requires administrative credentials. The PoC demonstrates simple JavaScript injection into the Help button URL field.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Check for official patch from Perch CMS developers. 2. If patch available, download and apply according to vendor instructions. 3. Verify fix by testing Help button functionality.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization for the Help button URL field to prevent JavaScript injection.
Disable Help Button
allRemove or disable the Help button functionality in the admin panel to prevent execution of malicious scripts.
🧯 If You Can't Patch
- Restrict administrative access to trusted users only and implement strict access controls.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact and monitor for suspicious admin activities.
🔍 How to Verify
Check if Vulnerable:
Check if running Perch CMS version 3.2. Attempt to inject a simple script like <script>alert('XSS')</script> into the Help button URL field in admin panel.Check Version:
Check Perch CMS version in admin panel or via configuration files.Verify Fix Applied:
After applying fixes, test the Help button URL field with XSS payloads to ensure they are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Help button URL settings in admin logs
- Multiple failed login attempts followed by successful admin login
Network Indicators:
- Unexpected JavaScript execution in admin panel traffic
- Suspicious outbound connections from admin sessions
SIEM Query:
source="perch_cms_logs" AND (event="admin_setting_change" AND setting="help_button_url")