| CVE ID | CVE-2025-54540 |
| Publication date | 28 August 2025 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | 6.8 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-54541 |
| Publication date | 28 August 2025 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | 6.8 |
| Vulnerability type (CWE) | Cross-Site Request Forgery (CSRF) (CWE-352) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-54542 |
| Publication date | 28 August 2025 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | 6.8 |
| Vulnerability type (CWE) | Use of GET Request Method With Sensitive Query Strings (CWE-598) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-54543 |
| Publication date | 28 August 2025 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | 6.8 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-54544 |
| Publication date | 28 August 2025 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | 6.8 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-55175 |
| Publication date | 28 August 2025 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | 6.8 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) (CWE-79) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in OpenSolution QuickCMS software and participated in coordination of their disclosure.
The vulnerability CVE-2025-54540: QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin’s panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
The vulnerability CVE-2025-54541: QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article.
The vulnerability CVE-2025-54542: QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim’s browser history to obtain the necessary credentials to log in as the user.
The vulnerability CVE-2025-54543: QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vulnerability CVE-2025-54544: QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vulnerability CVE-2025-55175: QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin’s panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Credits
We thank Karol Czubernat for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.
