ByteOS Network

CVE Vulnerability Details :

CVE-2025-54543

PUBLISHED

More Info Official Page

Assigner-CERT-PL

Assigner Org ID-4bb8329e-dd38-46c1-aafb-9bf32bcb93c6

Published At-28 Aug, 2025 | 10:12

Updated At-28 Aug, 2025 | 13:34

▼CVE Numbering Authority (CNA)

Stored XSS in QuickCMS

QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Affected Products

Vendor

OpenSolution

Product

QuickCMS

Default Status

unaffected

Versions

Affected

6.8 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-79	CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Metrics

Version	Base score	Base severity	Vector
4.0	5.3	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Impacts

CAPEC ID	Description
CAPEC-592	CAPEC-592 Stored XSS

Credits

finder

Karol Czubernat

References

Hyperlink	Resource
https://cert.pl/posts/2025/08/CVE-2025-54540	third-party-advisory
https://opensolution.org	product

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References