Vulnerabilities in OpenSolution QuickCMS software

CVE ID	CVE-2025-54540
Publication date	28 August 2025
Vendor	OpenSolution
Product	QuickCMS
Vulnerable versions	6.8
Vulnerability type (CWE)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source	Report to CERT Polska
CVE ID	CVE-2025-54541
Publication date	28 August 2025
Vendor	OpenSolution
Product	QuickCMS
Vulnerable versions	6.8
Vulnerability type (CWE)	Cross-Site Request Forgery (CSRF) (CWE-352)
Report source	Report to CERT Polska
CVE ID	CVE-2025-54542
Publication date	28 August 2025
Vendor	OpenSolution
Product	QuickCMS
Vulnerable versions	6.8
Vulnerability type (CWE)	Use of GET Request Method With Sensitive Query Strings (CWE-598)
Report source	Report to CERT Polska
CVE ID	CVE-2025-54543
Publication date	28 August 2025
Vendor	OpenSolution
Product	QuickCMS
Vulnerable versions	6.8
Vulnerability type (CWE)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source	Report to CERT Polska
CVE ID	CVE-2025-54544
Publication date	28 August 2025
Vendor	OpenSolution
Product	QuickCMS
Vulnerable versions	6.8
Vulnerability type (CWE)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source	Report to CERT Polska
CVE ID	CVE-2025-55175
Publication date	28 August 2025
Vendor	OpenSolution
Product	QuickCMS
Vulnerable versions	6.8
Vulnerability type (CWE)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source	Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in OpenSolution QuickCMS software and participated in coordination of their disclosure.

The vulnerability CVE-2025-54540: QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.

The vulnerability CVE-2025-54541: QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article.

The vulnerability CVE-2025-54542: QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user.

The vulnerability CVE-2025-54543: QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.

The vulnerability CVE-2025-54544: QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.

The vulnerability CVE-2025-55175: QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Credits

We thank Karol Czubernat for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.