CVE-2025-71166
📋 TL;DR
This reflected XSS vulnerability in Typesetter CMS allows authenticated attackers to inject malicious scripts into the administrative interface. When exploited, it enables arbitrary JavaScript execution within authenticated users' browser sessions. Only administrators with access to the Tools Status section are affected.
💻 Affected Systems
- Typesetter CMS
📦 What is this software?
Typesetter by Typesettercms
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as the administrator, or redirect to malicious sites, potentially leading to full CMS compromise.
Likely Case
Session hijacking of administrative users, allowing unauthorized access to the CMS backend and potential data manipulation.
If Mitigated
Limited impact due to requiring authenticated access and specific administrative privileges; proper input validation would prevent exploitation.
🎯 Exploit Status
Exploitation requires authenticated administrative access; the vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.1
Vendor Advisory: https://github.com/Typesetter/Typesetter/issues/707
Restart Required: No
Instructions:
1. Upgrade Typesetter CMS to version 5.2 or later. 2. No restart required as this is a PHP application. 3. Verify the fix by checking the version in the admin panel.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the path parameter before processing
Edit include/admin/Tools/Status.php and add htmlspecialchars() or similar sanitization to the path parameter
Access Restriction
allRestrict access to the Tools Status section to specific trusted IP addresses
Add IP-based restrictions in .htaccess or web server configuration for /admin/Tools/Status.php
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Monitor administrative user sessions for unusual activity and implement session timeout policies
🔍 How to Verify
Check if Vulnerable:
Check if your Typesetter CMS version is 5.1 or earlier in the admin panel or by examining the installation filesCheck Version:
Check the version in the admin dashboard or examine the CHANGELOG.txt file in the installation directoryVerify Fix Applied:
After upgrading, verify the version is 5.2 or later and test the Tools Status functionality with malicious input📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to /admin/Tools/Status.php with script tags or JavaScript in parameters
- Multiple failed login attempts followed by access to admin tools
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in the path parameter to the admin interface
SIEM Query:
source="web_logs" AND (url_path="/admin/Tools/Status.php" AND (query_string="*<script>*" OR query_string="*javascript:*"))