CVE-2025-54544 Stored XSS in QuickCMS

QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add...

CVE-2025-54544

Product affected: QuickCMS. Vulnerability: Stored XSS via the aDirFilesDescriptions parameter in the files editor. Impact: Malicious HTML/JS can be injected and executed when visiting the edited page. Prerequisites: Attacker must have admin privileges. Evidence from sources: Only version 6.8 was ...

CVE-2025-54543 Stored XSS in QuickCMS

QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add...

CVE-2025-54543

QuickCMS (CMS) is affected by CVE-2025-54543, a Stored XSS in the page editor SEO functionality via the sDescriptionMeta parameter. The vulnerability allows an admin with privileges to inject arbitrary HTML/JS that is rendered when visiting the edited page. Only version 6.8 has been tested and co...

CVE-2025-54542 Sending Password in GET Request

QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or...

CVE-2025-54541 Cross-Site Request Forgery in QuickCMS

QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this vulnerability, but didn't respon...

CVE-2025-54541 Cross-Site Request Forgery in QuickCMS

QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this vulnerability, but didn't respon...

CVE-2025-54541

CVE-2025-54541 affects QuickCMS. The flaw is a Cross-Site Request Forgery in the page deletion function: when an admin visits a crafted site, a POST request can delete an article. Only version 6.8 has been tested as vulnerable; other versions were not tested and may also be affected. The vendor w...

CVE-2025-54540 Reflected XSS in QuickCMS

QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn...

CVE-2025-54540 Reflected XSS in QuickCMS

QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn...

CVE-2025-54540

CVE-2025-54540 affects QuickCMS, with a Reflected XSS in the admin panel via the sSort parameter. The issue allows arbitrary JavaScript execution in the victim’s browser when a crafted URL is opened. Public documentation notes that only version 6.8 was tested and confirmed vulnerable; other versi...

QuickCMS 安全漏洞

QuickCMS is a content management system from QuickCMS Open Source. A security vulnerability exists in QuickCMS version 6.8, which originates from sending password and login information via a GET request, which could lead to credential disclosure...

QuickCMS 跨站脚本漏洞

QuickCMS is an open source content management system from QuickCMS. A cross-site scripting vulnerability exists in QuickCMS version 6.8, which stems from improper handling of the sDescriptionMeta parameter and could lead to a stored cross-site scripting attack...

QuickCMS 跨站脚本漏洞

QuickCMS is a content management system of QuickCMS open source. A cross-site scripting vulnerability exists in QuickCMS version 6.8, which originates from the presence of reflective cross-site scripting in the sLangEdit parameter of the admin panel function, which could lead to arbitrary...

QuickCMS 跨站脚本漏洞

QuickCMS is an open source content management system from QuickCMS. A cross-site scripting vulnerability exists in QuickCMS version 6.8, which stems from improper handling of the aDirFilesDescriptions parameter and could lead to a stored cross-site scripting attack...

QuickCMS 跨站脚本漏洞

QuickCMS is an open source content management system from QuickCMS. A cross-site scripting vulnerability exists in QuickCMS version 6.8, which stems from improper handling of the sSort parameter and could lead to a reflective cross-site scripting attack...

CVE-2025-54175

QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened. The vendor was notified early about this vulnerability, but didn't respon...

CVE-2025-54174

QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker. The vendor was notified...

CVE-2025-54172

QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into th...

CVE-2025-54174

QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker. The vendor was notified...