CVE-2021-25785

Vulnerability

Taocms v2.5Beta5 contains a stored cross-site scripting (XSS) vulnerability in the Management column component. The issue is located in the column creation/editing functionality handled by /admin/admin.php with parameters action=cms&ctrl=save. The name parameter is not sanitized before storage, allowing injection of arbitrary HTML and JavaScript. The vulnerability is triggered when a column administrator submits a POST request with a malicious payload in the name field. The affected version is Taocms v2.5Beta5 [1].

Exploitation

An attacker must have column administrator privileges (or higher) to access the column management interface. The exploit involves sending a crafted POST request to /admin/admin.php with the name parameter containing a payload such as ``. The payload is stored in the database and executed when any administrator views the column list in the admin panel [1]. No user interaction beyond the initial admin access is required for the stored payload to trigger.

Impact

Successful exploitation results in stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the Taocms admin panel. This can lead to session hijacking, sensitive data theft (e.g., cookies, credentials), defacement, or further administrative actions. The impact is limited to the admin interface but can compromise the entire installation if an administrator with elevated privileges views the malicious column [1].

Mitigation

As of the publication date (2021-12-02), no official fix or patch has been released by the vendor for Taocms v2.5Beta5. The vulnerability was reported on GitHub but remains unaddressed. Users should restrict access to the column management functionality to trusted administrators only, or consider using a different CMS version that is not affected. No workaround is documented in the available references [1].