← Zuruck zu CVEs
CVE-2025-71166
MEDIUM5.4
Beschreibung
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.
CVE Details
CVSS v3.1 Bewertung5.4
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionREQUIRED
Veroffentlicht1/14/2026
Zuletzt geandert1/21/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
typesettercms:typesetter
Schwachen (CWE)
CWE-79
Referenzen
https://github.com/Typesetter/Typesetter(disclosure@vulncheck.com)
https://github.com/Typesetter/Typesetter/issues/707(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling(disclosure@vulncheck.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.