CVE-2025-50270

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in the content management feature of AnQiCMS v3.4.11. The root cause is that user-supplied input passed through the title, categoryTitle, and tmpTag parameters is not adequately sanitized before being stored and later rendered in the application’s news and backend management interfaces. This allows an attacker to inject arbitrary JavaScript code that persists on the server and executes in the browsers of users who view the affected content. [1][2]

Exploitation

Prerequisites and Attack Surface

Exploitation requires the attacker to be authenticated and have the ability to create or edit articles (or other content) via the content management feature. As demonstrated in the references, a simple POST request to the /system/api/archive/detail endpoint with a title containing a script payload (e.g., ``) is sufficient to inject the malicious code. No special network position is required beyond normal access to the affected application. [1][2]

Impact

An attacker who successfully injects a stored XSS payload can execute arbitrary JavaScript in the context of any victim's browser when they view the compromised article or document list. This can lead to session hijacking, theft of sensitive cookies, or, for administrative users, full compromise of the admin account. The impact is amplified because the payload is stored and affects every visitor to the affected page. [1][2]

Mitigation

Status

The vendor has been notified via the public GitHub issue tracker (issue #80), but as of the publication date, no patched version has been released. Administrators are advised to apply input sanitization and output encoding on all user-supplied fields, especially title, categoryTitle, and tmpTag, or to restrict content creation privileges to trusted users only. [1][2]