← Voltar para CVEs
CVE-2025-71166
MEDIUM5.4
Descricao
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.
Detalhes CVE
Pontuacao CVSS v3.15.4
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado1/14/2026
Ultima modificacao1/21/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
typesettercms:typesetter
Fraquezas (CWE)
CWE-79
Referencias
https://github.com/Typesetter/Typesetter(disclosure@vulncheck.com)
https://github.com/Typesetter/Typesetter/issues/707(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.