CVE Catalog

CVE-2025-71164

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

Typesetter CMS versions up to and including 5.1 contain a reflected XSS vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.

Risk Assessment

The risk for the organization includes session theft, admin account takeover, or unauthorized actions in the CMS by an attacker exploiting the vulnerability to inject malicious scripts.

Recommendation

It is recommended to immediately upgrade Typesetter CMS to a version above 5.1 or apply a security patch that implements proper output encoding for the images parameter in Editing.php.

Original NVD description (English source)

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS