Vulnerability Description
A flaw has been found in qianfox FoxCMS up to 1.2.16. Affected by this vulnerability is the function add/edit of the file app/admin/controller/Product.php. This manipulation of the argument Title causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Foxcms | Foxcms | <= 1.2.16 |
Related Weaknesses (CWE)
References
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS2.mdExploitThird Party Advisory
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS3.mdExploitThird Party Advisory
- https://vuldb.com/?ctiid.331640Permissions RequiredVDB Entry
- https://vuldb.com/?id.331640Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.680851Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.680852Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.680853Third Party AdvisoryVDB Entry
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS2.mdExploitThird Party Advisory
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS3.mdExploitThird Party Advisory
FAQ
What is CVE-2025-12920?
CVE-2025-12920 is a vulnerability with a CVSS score of 2.4 (LOW). A flaw has been found in qianfox FoxCMS up to 1.2.16. Affected by this vulnerability is the function add/edit of the file app/admin/controller/Product.php. This manipulation of the argument Title caus...
How severe is CVE-2025-12920?
CVE-2025-12920 has been rated LOW with a CVSS base score of 2.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-12920?
Check the references section above for vendor advisories and patch information. Affected products include: Foxcms Foxcms.