- Description
- A flaw has been found in qianfox FoxCMS up to 1.2.16. Affected by this vulnerability is the function add/edit of the file app/admin/controller/Product.php. This manipulation of the argument Title causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- Source
- cna@vuldb.com
- NVD status
- Analyzed
- Products
- foxcms
CVSS 4.0
- Type
- Secondary
- Base score
- 4.8
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 4.8
- Impact score
- 2.7
- Exploitability score
- 1.7
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Secondary
- Base score
- 3.3
- Impact score
- 2.9
- Exploitability score
- 6.4
- Vector string
- AV:N/AC:L/Au:M/C:N/I:P/A:N
- Hype score
- Not currently trending
CVE-2025-12920 A flaw has been found in qianfox FoxCMS up to 1.2.16. Affected by this vulnerability is the function add/edit of the file app/admin/controller/Product.php. This manip… https://t.co/OkD3ZK6BrR
@CVEnew
9 Nov 2025
486 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-12920 Cross-Site Scripting in qianfox FoxCMS Product Controller via Title Argument https://t.co/N1AG2t4MZJ
@VulmonFeeds
9 Nov 2025
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:foxcms:foxcms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70819A41-40F8-4A59-A1C4-68F247393008",
"versionEndIncluding": "1.2.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]