← Volver a CVEs
CVE-2025-71165
MEDIUM5.4
Descripcion
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.
Detalles CVE
Puntuacion CVSS v3.15.4
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioREQUIRED
Publicado1/14/2026
Ultima modificacion1/21/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
typesettercms:typesetter
Debilidades (CWE)
CWE-79
Referencias
https://github.com/Typesetter/Typesetter(disclosure@vulncheck.com)
https://github.com/Typesetter/Typesetter/issues/709(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php(disclosure@vulncheck.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.