CVE-2025-5420
Cross-Site Scripting (XSS) vulnerability in juzaweb CMS
Overview
CVE-2025-5420 is a Cross-Site Scripting vulnerability in juzaweb CMS up to 3.4.2. The vulnerability, which is deemed problematic, affects an unknown functionality of the file /admin-cp/file-manager/upload of the Profile Page component.
Technical Details
The vulnerability manipulates the argument "upload" leading to cross-site scripting (XSS). This attack can be launched remotely and has been disclosed to the public; though the vendor didn't respond to it yet.
CVSS Metrics
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW
- User Interaction: PASSIVE
- Vulnerability Confidentiality Impact: NONE
- Vulnerability Integrity Impact: LOW
- Vulnerability Availability Impact: NONE
- Base Score: 5.1
- Base Severity: MEDIUM
Impact
Successful exploitation of this vulnerability can allow attackers to insert arbitrary web scripts leading to cross site scripting which can be critical for user's data safety.
Recommendations
It is recommended to update to the latest version of juzaweb CMS. Always validate and sanitize inputs before using them and avoid exposing detailed error messages to users.
Threat Metrics
- cvss_score: 5.1
- severity: MEDIUM
- attack_vector: NETWORK
- attack_complexity: LOW