CVE-2025-50481

Vulnerability

Overview

CVE-2025-50481 describes a stored cross-site scripting (XSS) vulnerability in Mezzanine CMS version 6.1.0, specifically in the /blog/blogpost/add component. The root cause is insufficient sanitization of user-supplied input when creating a blog post, allowing an authenticated attacker to inject arbitrary HTML or JavaScript code that gets stored and executed in the browsers of other users viewing the post [1].

Exploitation

To exploit this vulnerability, an attacker must be authenticated with sufficient privileges (e.g., editor or higher) to create blog posts. The attack does not require special network access beyond being able to reach the CMS web interface. After submitting a crafted payload, any user (including non-authenticated visitors) who views the affected blog post will have the injected script executed in their browser. User interaction is required in the sense that the victim must navigate to the malicious post [3]. According to a proof-of-concept, the session cookie is not accessible because it is marked HttpOnly, mitigating session hijacking via this vector [3].

Impact

Successful exploitation enables an attacker to perform arbitrary actions in the context of the victim's browser session, such as defacing the CMS, tampering with content, or causing a denial-of-service condition. The CVSS v3.0 base score is 4.8 (Medium) with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating low impact on confidentiality and integrity, but it may still be leveraged for broader attacks [3].

Mitigation

As of the publication date, no official patch has been released. Users are advised to restrict blog creation privileges to trusted users and monitor for updates from the Mezzanine project [2]. The security contact for reporting issues is core-team@mezzaninecms.com [2].