usd-2025-0031 | Weblication CMS Core 019.004.000.000 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

Product: Weblication CMS Core
Affected Version: 019.004.000.000
Vulnerability Type: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (CWE-79)
Security Risk: Critical
Vendor: Scholl Communications AG
Vendor URL: https://weblication.de
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Requested
CVE Link: -
Advisory ID: usd-2025-0031

Description

Weblication CMS is a German content management system for creating and managing websites. Unauthenticated attackers can inject JavaScript code into a section of the admin panel via specially crafted URLs. The code is stored persistently on the page.

Fix

Users should update Weblication CMS Core to its current version.

User-supplied input should always be sanitized.

References

https://cwe.mitre.org/data/definitions/79.html

Timeline

2025-05-07: First contact request via mail.
2025-05-07: The vendor has confirmed the delivery and has begun investigating the matter.
2025-05-09: The vendor has addressed and fixed the vulnerability.
2025-05-09: The vendor released fixed versions 019.005.000.000.
2025-08-25: This advisory is published.

Credits

This security vulnerability was identified by Konstantin Samuel of usd AG.

usd-2025-0031 | Weblication CMS Core 019.004.000.000 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

Description

Fix

References

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

Contact

Follow Us

LabNews

Write-Up Registration Challenge Hacker Contest Summer 2025

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

Security Advisories on hugocms and Gitea