CVE-2025-40730

Vulnerability

Overview

CVE-2025-40730 is an HTML injection vulnerability in Vox Media's Chorus CMS, discovered by Gonzalo Aguilar García (6h4ack) and coordinated by INCIBE. It allows an attacker to inject arbitrary HTML and JavaScript into a victim's browser by sending a crafted URL containing malicious input in the q parameter of the /search endpoint [1]. The root cause is improper sanitization of user-supplied data in the search functionality, which falls under CWE-79 (Cross-site Scripting) [1].

Exploitation

Details

The attack requires no special privileges beyond the attacker crafting a malicious URL and inducing the victim to click it. The vulnerability is considered low complexity (CVSS v4.0 base score 4.8) and requires user interaction (UI:A) and some level of privileges (PR:L), likely meaning the target must be logged in to the CMS [1]. The q parameter is processed by the server and returned in a response without adequate encoding, allowing the injected script to execute in the context of the user's session [1].

Impact

Successful exploitation could enable an attacker to steal sensitive data such as session cookies, perform actions on behalf of the authenticated user, or deface content displayed on the site [1]. The scope is limited to the user's client (SC:N, SI:L), meaning direct server-side damage is not possible, but the attacker can manipulate the user's view or steal credentials [1].

Mitigation

Status

As of the publication date (2025-07-28), no official patch or workaround has been released by Vox Media [1]. The vulnerability is listed with a medium severity rating, and organizations using Chorus CMS should monitor for updates or consider implementing input validation and output encoding on the q parameter as a temporary measure.