CVE-2025-67291
📋 TL;DR
A stored cross-site scripting vulnerability in Piranha CMS v12.1 allows attackers to inject malicious scripts into the Media module's Name field. This affects all users of Piranha CMS v12.1 who have the Media module enabled. When exploited, the malicious scripts execute in victims' browsers when they view the compromised media content.
💻 Affected Systems
- Piranha CMS
📦 What is this software?
Piranha Cms by Dotnetfoundation
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers inject malicious scripts that steal user session cookies or credentials when users view media content, leading to unauthorized access to user accounts.
If Mitigated
With proper input validation and output encoding, the payload would be sanitized and rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authentication to access the Media module, but once authenticated, the attack is straightforward. Public proof-of-concept code is available in the GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: http://piranha.com
Restart Required: No
Instructions:
1. Check the Piranha CMS vendor website for security updates. 2. If a patch is released, download and apply it according to vendor instructions. 3. Verify the fix by testing the Name field for XSS vulnerabilities.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side input validation to reject or sanitize HTML/JavaScript in the Name field.
Content Security Policy
allImplement a strict Content Security Policy header to prevent execution of inline scripts.
Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Disable the Media module if not required for your use case.
- Implement web application firewall rules to block XSS payloads in the Name parameter.
🔍 How to Verify
Check if Vulnerable:
Test by entering a basic XSS payload like <script>alert('XSS')</script> in the Media module's Name field and check if it executes when viewing the media.Check Version:
Check the CMS version in the admin panel or configuration files.Verify Fix Applied:
After applying fixes, retest with the same XSS payload to ensure it's sanitized and doesn't execute.📡 Detection & Monitoring
Log Indicators:
- Unusual entries in media upload logs with script tags or JavaScript code in the Name field
- Multiple failed login attempts followed by media uploads
Network Indicators:
- HTTP requests with suspicious payloads in the Name parameter
- Outbound connections to unknown domains after viewing media content
SIEM Query:
source="web_logs" AND (Name CONTAINS "<script>" OR Name CONTAINS "javascript:")