CVE-2025-60837

Vulnerability

Description

CVE-2025-60837 is a reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1, a Java-based content management system. The flaw resides in the search functionality, specifically the /mcms/search.do endpoint, which fails to properly sanitize user-supplied input before reflecting it in the response. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser [1][2][3].

Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker. An attacker can craft a POST request to /mcms/search.do containing a malicious payload, such as ``. The payload is reflected back in the page and executed when the victim visits the crafted URL or submits the malicious form. The vulnerability also exhibits bypass techniques, allowing attackers to evade common XSS filters [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the user's browser, potentially leading to session hijacking, defacement of pages, redirection to malicious sites, or extraction of sensitive information such as cookies or CSRF tokens. Since MCMS is often used for content management, a successful attack could compromise the integrity of the website and its users.

Mitigation

As of the publication date, no official patch has been released for MCMS v6.0.1. Users are advised to limit access to the search functionality, implement web application firewall (WAF) rules to block reflected XSS patterns, or apply input validation and output encoding manually until a patch is provided [1][2][4].