Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in Windu CMS software
18 November 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-59110
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Cross-Site Request Forgery (CSRF) (CWE-352)
Report source Report to CERT Polska
CVE ID CVE-2025-59111
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Incorrect Authorization (CWE-863)
Report source Report to CERT Polska
CVE ID CVE-2025-59112
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Cross-Site Request Forgery (CSRF) (CWE-352)
Report source Report to CERT Polska
CVE ID CVE-2025-59113
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Improper Restriction of Excessive Authentication Attempts (CWE-307)
Report source Report to CERT Polska
CVE ID CVE-2025-59114
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Cross-Site Request Forgery (CSRF) (CWE-352)
Report source Report to CERT Polska
CVE ID CVE-2025-59115
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2025-59116
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Observable Response Discrepancy (CWE-204)
Report source Report to CERT Polska
CVE ID CVE-2025-59117
Publication date 18 November 2025
Vendor JCD
Product Windu CMS
Vulnerable versions 4.1
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in Windu CMS software and participated in coordination of their disclosure.

The vulnerability CVE-2025-59110: Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account.

The vulnerability CVE-2025-59111: Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI.

The vulnerability CVE-2025-59112: Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the administrator, will automatically send POST request that deletes given user.

The vulnerability CVE-2025-59113: Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter.

The vulnerability CVE-2025-59114: Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server.

The vulnerability CVE-2025-59115: Windu CMS is vulnerable to Stored Cross-Site Scripting in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin.

The vulnerability CVE-2025-59116: Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins.

The vulnerability CVE-2025-59117: Windu CMS is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities in the page editing endpoint /windu/admin/content/pages/edit. This vulnerability can be exploited by a privileged user and may target users with higher privileges.

The vendor was notified early about these vulnerabilities, but didn't respond with the details of vulnerabilities or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Credits

We thank Karol Czubernat for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.