CVE-2025-71164
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
Typesetter CMS versions up to and including 5.1 contain a reflected XSS vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.
Risk Assessment
The risk for the organization includes session theft, admin account takeover, or unauthorized actions in the CMS by an attacker exploiting the vulnerability to inject malicious scripts.
Recommendation
It is recommended to immediately upgrade Typesetter CMS to a version above 5.1 or apply a security patch that implements proper output encoding for the images parameter in Editing.php.
Original NVD description (English source)
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.

