CVE-2025-71165
📋 TL;DR
This reflected XSS vulnerability in Typesetter CMS allows authenticated attackers to inject malicious scripts into the administrative interface's Tools Status page. When an authenticated administrator views the crafted URL, arbitrary JavaScript executes in their browser session. Only Typesetter CMS installations with administrative users are affected.
💻 Affected Systems
- Typesetter CMS
📦 What is this software?
Typesetter by Typesettercms
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as the administrator (like adding backdoors or modifying content), or redirect to phishing sites.
Likely Case
Session hijacking leading to unauthorized administrative actions, data theft, or website defacement.
If Mitigated
Limited impact if administrators use separate browser profiles for admin tasks and have strong session management.
🎯 Exploit Status
Exploitation requires authenticated access; proof-of-concept is publicly available in GitHub issue #709.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.2 or later
Vendor Advisory: https://github.com/Typesetter/Typesetter/issues/709
Restart Required: No
Instructions:
1. Backup your Typesetter CMS installation. 2. Download the latest version from the official GitHub repository. 3. Replace the affected file include/admin/Tools/Status.php with the patched version. 4. Verify the fix by checking that the path parameter is now properly encoded.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the path parameter before processing.
Edit include/admin/Tools/Status.php and add htmlspecialchars() or similar encoding around the path parameter output.
🧯 If You Can't Patch
- Restrict administrative access to trusted IP addresses only.
- Implement a Web Application Firewall (WAF) with XSS protection rules.
🔍 How to Verify
Check if Vulnerable:
Access the administrative interface, navigate to Tools > Status, and check if the URL contains a path parameter that reflects unsanitized input in the HTML response.Check Version:
Check the version in the admin panel or review the CHANGELOG.md file in the installation directory.Verify Fix Applied:
After patching, test by injecting a simple XSS payload (e.g., <script>alert('test')</script>) into the path parameter and verify it is encoded in the output.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to include/admin/Tools/Status.php with suspicious parameters containing script tags or JavaScript code.
Network Indicators:
- HTTP requests with encoded script tags in query parameters targeting the admin interface.
SIEM Query:
source="web_server_logs" AND uri="/include/admin/Tools/Status.php" AND (param="path" AND value CONTAINS "<script>" OR "javascript:")