CVE-2025-12920

Summary

A flaw has been found in qianfox FoxCMS up to 1.2.16. Affected by this vulnerability is the function add/edit of the file app/admin/controller/Product.php. This manipulation of the argument Title causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
qianfoxFoxCMS1.2.0affected
qianfoxFoxCMS1.2.1affected
qianfoxFoxCMS1.2.2affected
qianfoxFoxCMS1.2.3affected
qianfoxFoxCMS1.2.4affected
qianfoxFoxCMS1.2.5affected
qianfoxFoxCMS1.2.6affected
qianfoxFoxCMS1.2.7affected
qianfoxFoxCMS1.2.8affected
qianfoxFoxCMS1.2.9affected
qianfoxFoxCMS1.2.10affected
qianfoxFoxCMS1.2.11affected
qianfoxFoxCMS1.2.12affected
qianfoxFoxCMS1.2.13affected
qianfoxFoxCMS1.2.14affected
qianfoxFoxCMS1.2.15affected
qianfoxFoxCMS1.2.16affected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References