Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64046

CVE-2025-64046: Openrapid RapidCMS XSS Vulnerability

CVE-2025-64046 is a Cross Site Scripting flaw in Openrapid RapidCMS 1.3.1 affecting /system/update-run.php that allows attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-64046 Overview

CVE-2025-64046 is a Cross-Site Scripting (XSS) vulnerability affecting OpenRapid RapidCMS version 1.3.1. The flaw resides in the /system/update-run.php endpoint, which fails to properly sanitize user-supplied input before rendering it in the response. An attacker can craft a malicious URL or form submission that executes arbitrary JavaScript in the victim's browser session. The vulnerability is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.

Critical Impact

Successful exploitation allows attackers to execute arbitrary JavaScript in an authenticated user's browser, enabling session hijacking, credential theft, and unauthorized administrative actions within the RapidCMS interface.

Affected Products

  • OpenRapid RapidCMS 1.3.1
  • CPE: cpe:2.3:a:openrapid:rapidcms:1.3.1
  • Vulnerable endpoint: /system/update-run.php

Discovery Timeline

  • 2025-11-17 - CVE-2025-64046 published to NVD
  • 2026-07-05 - Last updated in NVD database

Technical Details for CVE-2025-64046

Vulnerability Analysis

The vulnerability exists in the /system/update-run.php script within OpenRapid RapidCMS 1.3.1. The script accepts input parameters and reflects them into the HTTP response without applying output encoding or input validation. This allows an attacker to inject HTML and JavaScript payloads that execute in the context of the RapidCMS origin.

Because the vulnerability requires user interaction, exploitation typically relies on social engineering. An attacker sends a crafted link to an authenticated administrator, and the payload executes with the privileges of that user session. The CVSS scope change indicates the injected script can affect resources beyond the vulnerable component, such as other pages in the same origin.

Root Cause

The root cause is missing input sanitization and output encoding in /system/update-run.php. The script trusts request parameters and embeds them directly into HTML output. No context-aware escaping is performed before rendering, which is the standard mitigation for reflected XSS as defined in [CWE-79].

Attack Vector

The attack is network-based and requires user interaction. A typical exploitation path involves an attacker crafting a URL that includes a JavaScript payload as a query or form parameter to /system/update-run.php. When an authenticated RapidCMS administrator clicks the link, the payload renders inline and executes. Public proof-of-concept details are available in the GitHub Gist Exploit Code reference.

// No verified exploit code available - see the referenced GitHub Gist
// for a documented proof-of-concept demonstrating the reflected XSS payload
// against /system/update-run.php in RapidCMS 1.3.1.

Detection Methods for CVE-2025-64046

Indicators of Compromise

  • HTTP requests to /system/update-run.php containing script tags, javascript: URIs, or event handler attributes such as onerror= and onload=
  • Web server access logs showing URL-encoded payloads like %3Cscript%3E targeting the vulnerable endpoint
  • Unexpected outbound requests from administrator browsers to attacker-controlled domains following visits to RapidCMS pages

Detection Strategies

  • Deploy web application firewall (WAF) rules that inspect query parameters and POST bodies destined for /system/update-run.php for XSS signatures
  • Enable Content Security Policy (CSP) violation reporting to capture inline script execution attempts
  • Correlate authenticated administrator sessions with suspicious referrer headers or short-lived session anomalies

Monitoring Recommendations

  • Log and alert on all requests to /system/update-run.php containing angle brackets, HTML entities, or JavaScript keywords in parameters
  • Monitor administrator account activity for unauthorized configuration changes that could result from stolen session tokens
  • Review browser telemetry for script execution originating from RapidCMS pages that reference external resources

How to Mitigate CVE-2025-64046

Immediate Actions Required

  • Restrict access to the RapidCMS administrative interface using network-level controls or IP allowlisting until a patch is available
  • Instruct administrators to avoid clicking untrusted links referencing the RapidCMS installation
  • Deploy a WAF rule that blocks XSS payload patterns targeting /system/update-run.php

Patch Information

No vendor patch has been published in the referenced advisories at the time of NVD publication. Monitor the OpenRapid RapidCMS project for security updates and apply fixes as soon as they are released. Review the GitHub Gist Exploit Code reference for technical details useful in validating any vendor fix.

Workarounds

  • Configure a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
  • Enable the HttpOnly and Secure flags on session cookies to reduce the impact of stolen tokens
  • Apply reverse-proxy filtering to strip or encode HTML metacharacters in requests to /system/update-run.php
bash
# Example nginx rule to block obvious XSS payloads to the vulnerable endpoint
location /system/update-run.php {
    if ($args ~* "(<|%3C)script|javascript:|onerror=|onload=") {
        return 403;
    }
    proxy_pass http://rapidcms_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.