kasiasok/gist:63f7dcc9c453857005066ee9738318a9 Secret

## gistfile1.txt
CVE-2025-60869 Publii CMS v0.46.5 - Persistent Cross-Site Scripting (XSS) in Configuration Fields

Product: Publii CMS
Tested on: v0.46.5 (build 17089)
Vendor: TidyCustoms (Publii project maintainers)
Vulnerability: Persistent Cross-Site Scripting (XSS)

One-line summary:
Publii CMS v0.46.5 (build 17089) allows persistent XSS via unsanitized inputs in configuration fields — injected JavaScript is stored in the project and executed in visitors’ browsers.

Vulnerability Description:
In Publii CMS 0.46.5 (build 17089), configuration fields such as Site Description and the social media fields under
**admin panel -> theme -> custom settings -> footer -> social media link fields** are not sanitized or validated before being saved. A malicious JavaScript fragment entered into these fields is stored in the project and embedded into the generated static site HTML during site generation. Any visitor who opens the generated site in their browser will execute the injected code, resulting in a persistent (stored) Cross-Site Scripting (XSS) vulnerability.

Steps to Reproduce:
1. Install Publii CMS v0.46.5 (build 17089).
2. Create a new website project.
3. Navigate to admin panel -> theme -> custom settings -> footer -> social media link fields
and paste into instargram, linkedin, pinterest, vimeo, youtbe link URL field an alert   <script>alert(1)</script>
4. Save settings and click "Save & Preview".
5. Open the generated preview site. CLick social media button in the footer. The injected JavaScript alert is executed.


Expected Behavior:
The application should validate and/or sanitize values entered into configuration fields (for example, allow only valid URLs for social media fields, or strip/encode HTML). Configuration fields must not allow raw JavaScript to be saved, and generated HTML files must not contain untrusted executable code.

Impact:
Execution of arbitrary JavaScript in the browsers of visitors to generated sites (Confidentiality: High, Integrity: High, Availability: None). Possible consequences include cookie/session theft, phishing/redirects, keylogging or event capture, loading of external resources, and other client-side attacks. Scope: any static site generated from a project that contains infected fields may expose its visitors to these attacks.

Exploitation:
Injection requires the ability to write values to the affected configuration fields — typically via access to the admin panel/edit project (Publii is single user app), or another vector that allows saving values into those fields. Once saved, the malicious code is persistent; no further attacker interaction is required to trigger execution other than a victim visiting the affected generated page. The attack requires user interaction in the form of clicking the social media button in footer.

Disclosure date: 10.10.2025

Reporter: Kasia Sok
	CVE-2025-60869 Publii CMS v0.46.5 - Persistent Cross-Site Scripting (XSS) in Configuration Fields

	Product: Publii CMS
	Tested on: v0.46.5 (build 17089)
	Vendor: TidyCustoms (Publii project maintainers)
	Vulnerability: Persistent Cross-Site Scripting (XSS)

	One-line summary:
	Publii CMS v0.46.5 (build 17089) allows persistent XSS via unsanitized inputs in configuration fields — injected JavaScript is stored in the project and executed in visitors’ browsers.

	Vulnerability Description:
	In Publii CMS 0.46.5 (build 17089), configuration fields such as Site Description and the social media fields under
	admin panel -> theme -> custom settings -> footer -> social media link fields are not sanitized or validated before being saved. A malicious JavaScript fragment entered into these fields is stored in the project and embedded into the generated static site HTML during site generation. Any visitor who opens the generated site in their browser will execute the injected code, resulting in a persistent (stored) Cross-Site Scripting (XSS) vulnerability.

	Steps to Reproduce:
	1. Install Publii CMS v0.46.5 (build 17089).
	2. Create a new website project.
	3. Navigate to admin panel -> theme -> custom settings -> footer -> social media link fields
	and paste into instargram, linkedin, pinterest, vimeo, youtbe link URL field an alert <script>alert(1)</script>
	4. Save settings and click "Save & Preview".
	5. Open the generated preview site. CLick social media button in the footer. The injected JavaScript alert is executed.


	Expected Behavior:
	The application should validate and/or sanitize values entered into configuration fields (for example, allow only valid URLs for social media fields, or strip/encode HTML). Configuration fields must not allow raw JavaScript to be saved, and generated HTML files must not contain untrusted executable code.

	Impact:
	Execution of arbitrary JavaScript in the browsers of visitors to generated sites (Confidentiality: High, Integrity: High, Availability: None). Possible consequences include cookie/session theft, phishing/redirects, keylogging or event capture, loading of external resources, and other client-side attacks. Scope: any static site generated from a project that contains infected fields may expose its visitors to these attacks.

	Exploitation:
	Injection requires the ability to write values to the affected configuration fields — typically via access to the admin panel/edit project (Publii is single user app), or another vector that allows saving values into those fields. Once saved, the malicious code is persistent; no further attacker interaction is required to trigger execution other than a victim visiting the affected generated page. The attack requires user interaction in the form of clicking the social media button in footer.

	Disclosure date: 10.10.2025

	Reporter: Kasia Sok
No results found