CVE-2025-7569

CVE-2025-7569: Reflected XSS in OneBase

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Bigotry OneBase versions up to 1.3.6. The flaw resides in the exception handling template file /tpl/think_exception.tpl, specifically within the parse_args function. This function does not properly sanitize user-controlled input that is included in the Call Stack debug output, allowing the injection of arbitrary HTML and JavaScript [1].

The vulnerability can be triggered remotely by crafting a request that causes an exception (e.g., by providing invalid input to admin.php/config/configlist/order_field/). The framework then renders a debug page containing the unsanitized user input from the Call Stack, leading to reflected XSS. No authentication is required to trigger the exception, though the attack surface is limited to the admin panel endpoints [1].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an administrator's browser. This could lead to session hijacking by stealing cookies or tokens, privilege escalation by modifying admin settings, or phishing attacks through injected login forms [1].

As of the publication date, the vendor has not responded to disclosure, and no official patch is available. However, the vulnerability is specific to debug mode; disabling debug mode or upgrading to a version after 1.3.6 (if made available) should mitigate the risk. The exploit has been publicly disclosed and may be incorporated into automated tools [1].