CVE-2025-57205 (CNNVD-202509-3220)
中文标题:
Inilabs School Express 安全漏洞
英文标题:
iNiLabs School Express (SMS Express) 6.2 is affected by a Stored Cross-Site Scripting (XSS) vulnerab...
漏洞描述
中文描述:
Inilabs School Express是孟加拉国Inilabs公司的一款学校管理软件。 Inilabs School Express 6.2版本存在安全漏洞,该漏洞源于内容管理功能中对POSTed editor参数清理和编码不足,可能导致存储型跨站脚本攻击。
英文描述:
iNiLabs School Express (SMS Express) 6.2 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the content-management features available to authenticated admin users. The vulnerability resides in POSTed editor parameters submitted to the /posts/edit/{id} endpoint (and similarly in Notice and Pages editors). Due to insufficient input sanitization and output encoding, attackers can inject HTML/JS payloads. The payload is saved and later rendered unsanitized, resulting in JavaScript execution in other users' browsers when they access the affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not enforce a restrictive Content Security Policy (CSP) or adequate filtering to prevent such attacks.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| inilabs | school_express | 6.2 | - | - |
cpe:2.3:a:inilabs:school_express:6.2:*:*:*:*:wordpress:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (adp)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-57205 |
2025-11-11 15:23:30 | 2025-11-11 07:40:44 |
| NVD | nvd_CVE-2025-57205 |
2025-11-11 15:01:03 | 2025-11-11 07:48:31 |
| CNNVD | cnnvd_CNNVD-202509-3220 |
2025-11-11 15:12:58 | 2025-11-11 08:00:12 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-3220
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 0 -> 1
- data_sources: ['cve'] -> ['cve', 'nvd']