Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64048

CVE-2025-64048: Yccms Yccms Stored XSS Vulnerability

CVE-2025-64048 is a stored cross-site scripting vulnerability in Yccms Yccms 3.4 affecting article management. Attackers can inject malicious scripts through article titles. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-64048 Overview

CVE-2025-64048 is a stored cross-site scripting (XSS) vulnerability affecting YCCMS version 3.4. The flaw resides in the article management functionality, specifically within the add() and getPost() functions of the ArticleAction.class.php file. YCCMS fails to properly neutralize user-supplied input in the article title field before persisting it to storage and rendering it back to users. Attackers who can submit or edit articles can inject arbitrary JavaScript that executes in the browsers of subsequent visitors, including administrators. The vulnerability is classified under [CWE-79] Improper Neutralization of Input During Web Page Generation.

Critical Impact

Successful exploitation enables session hijacking, credential theft, and administrative account takeover through malicious script execution in authenticated user sessions.

Affected Products

  • YCCMS 3.4
  • ArticleAction.class.php article management component
  • YCCMS instances exposing article creation and editing functionality to untrusted users

Discovery Timeline

  • 2025-11-24 - CVE-2025-64048 published to the National Vulnerability Database
  • 2026-07-05 - Last updated in NVD database

Technical Details for CVE-2025-64048

Vulnerability Analysis

The vulnerability is a stored XSS flaw in YCCMS 3.4's content management workflow. The add() function accepts article submissions containing a title field, and getPost() retrieves user-controlled data from the request. Neither function applies output encoding or input sanitization to strip HTML control characters or script tags from the article title. Because the payload is persisted in the database, every user who subsequently views the affected article page triggers execution of the injected script. Stored XSS attacks require user interaction to load the affected page, but persistence means a single injection can compromise many victims over time.

Root Cause

The root cause is missing output encoding and input validation in the add() and getPost() functions inside ArticleAction.class.php. User input flows directly from the HTTP request into database storage and later into rendered HTML without being passed through a context-aware encoder such as htmlspecialchars(). This violates the CWE-79 guidance to neutralize special characters before web page generation.

Attack Vector

An unauthenticated or low-privileged attacker submits an article whose title contains an HTML or JavaScript payload. The payload is stored in the YCCMS backend without sanitization. When an administrator or another user views the article list or detail view, the browser parses the injected markup and executes the attacker's script in the origin of the YCCMS application. Attackers commonly use this primitive to steal session cookies, perform actions as the victim, or pivot toward administrative takeover of the CMS.

No verified exploit code is published beyond the referenced proof-of-concept. See the GitHub Gist PoC for technical reproduction details.

Detection Methods for CVE-2025-64048

Indicators of Compromise

  • Article title fields containing HTML tags such as <script>, <img onerror=>, or <svg onload=> stored in the YCCMS database.
  • Unexpected outbound requests from administrator browsers to attacker-controlled domains after viewing YCCMS article pages.
  • Web server logs showing POST requests to the article creation endpoint containing URL-encoded script payloads.

Detection Strategies

  • Query the YCCMS article table for titles containing angle brackets, javascript: URIs, or common XSS keywords.
  • Deploy a web application firewall rule that flags article submissions containing HTML control characters in the title parameter.
  • Review browser Content Security Policy (CSP) violation reports for inline script execution originating from YCCMS pages.

Monitoring Recommendations

  • Monitor authentication and session activity for administrative accounts that recently viewed user-submitted articles.
  • Alert on new administrator sessions established from unexpected IP addresses shortly after article submissions.
  • Capture and retain HTTP request bodies for the article creation and update endpoints to support forensic review.

How to Mitigate CVE-2025-64048

Immediate Actions Required

  • Restrict article creation and editing permissions to trusted, authenticated users only.
  • Audit the YCCMS article database for existing malicious payloads in title fields and purge any suspicious entries.
  • Deploy a WAF rule blocking HTML and JavaScript metacharacters in the article title parameter until a patched release is applied.

Patch Information

No vendor advisory or official patch has been published for CVE-2025-64048 at the time of NVD publication. Administrators should monitor the YCCMS project for updates and apply source-level fixes to ArticleAction.class.php that encode output with htmlspecialchars($title, ENT_QUOTES, 'UTF-8') before rendering and validate input on submission.

Workarounds

  • Apply server-side input validation to reject article titles containing <, >, or " characters.
  • Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
  • Place YCCMS behind an authenticated reverse proxy to limit article submission to vetted internal users.
bash
# Example nginx CSP header to mitigate stored XSS execution
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none';" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.