Executive Summary

Informations
Name CVE-2025-45388 First vendor Publication 2025-05-07
Vendor Cve Last vendor Modification 2025-05-09

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) in the document upload functionality. Attackers can inject malicious code inside a PDF file. When a user clicks the document in the CMS interface, the payload executes. NOTE: this is disputed by the Supplier because "It has been well documented that when serving uploaded files using a method outside of Wagtail (which admittedly is the default), it requires additional configuration from the developer, because Wagtail cannot control how these are served. ... For example, if a Wagtail instance is configured to upload files into AWS S3, Wagtail cannot control the permissions on how they're served, nor any headers used when serving them (a limitation of S3)."

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-45388

Sources (Detail)

https://docs.wagtail.org/en/stable/deployment/under_the_hood.html#documents
https://github.com/echoBRT/Wagtail-CMS-XSS/
https://github.com/wagtail/wagtail/discussions/12617
https://github.com/wagtail/wagtail/pull/12672
https://github.com/wagtail/wagtail/wiki/Security-team
Source Url

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2025-05-27 02:58:10
  • First insertion