{"id":24356,"date":"2025-08-25T11:17:52","date_gmt":"2025-08-25T09:17:52","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0031\/"},"modified":"2025-09-09T14:58:43","modified_gmt":"2025-09-09T12:58:43","slug":"usd-2025-0031","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0031\/","title":{"rendered":"usd-2025-0031"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2025-0031 | Weblication CMS Core 019.004.000.000 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)<\/h1>\n<h1><\/h1>\n<p><strong>Product<\/strong>: Weblication CMS Core<br \/><strong>Affected Version<\/strong>: 019.004.000.000<br \/><strong>Vulnerability Type<\/strong>: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (CWE-79)<br \/><strong>Security Risk<\/strong>: Critical<br \/><strong>Vendor<\/strong>:\u00a0Scholl Communications AG<br \/><strong>Vendor URL<\/strong>: <a href=\"https:\/\/weblication.de\" target=\"_blank\" rel=\"noopener\">https:\/\/weblication.de<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: Fixed<br \/><strong>CVE Number<\/strong>: CVE-2025-52161<br \/><strong>CVE Link<\/strong>: <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-52161\" target=\"_blank\" rel=\"noopener\">https:\/\/www.cve.org\/CVERecord?id=CVE-2025-52161<\/a><br \/><strong>Advisory ID<\/strong>: usd-2025-0031<\/p>\n<h3>Description<\/h3>\n<p><!-- add a description of the application and vulnerability -->Weblication CMS is a German content management system for creating and managing websites. Unauthenticated attackers can inject JavaScript code into a section of the admin panel via specially crafted URLs. The code is stored persistently on the page.<\/p>\n<p>&nbsp;<\/p>\n<h3>Fix<!-- how the vendor can fix the vulnerability.--><!-- if you recommended a quick workaround to the customer (and they are fine with you including it here!) feel free to add this information as well --><\/h3>\n<p>Users should update Weblication CMS Core to its current version.<\/p>\n<p>User-supplied input should always be sanitized.<\/p>\n<p>&nbsp;<\/p>\n<h3>References<\/h3>\n<p><!-- add references to the application and vulnerability.--><\/p>\n<ul>\n<li><a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/79.html\" target=\"_blank\" rel=\"noopener\">https:\/\/cwe.mitre.org\/data\/definitions\/79.html<\/a><\/li>\n<\/ul>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2025-05-07:<\/strong> First contact request via mail.<\/li>\n<li><strong>2025-05-07:<\/strong> The vendor has confirmed the delivery and has begun investigating the matter.<\/li>\n<li><strong>2025-05-09:<\/strong> The vendor has addressed and fixed the vulnerability.<\/li>\n<li><strong>2025-05-09:<\/strong> The vendor released fixed versions 019.005.000.000.<\/li>\n<li><strong>2025-08-25:<\/strong> This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p><!-- add the names of the persons that discovered the vulnerability. This information will be sent to the vendor and published on the HeroLab blog -->This security vulnerability was identified by Konstantin Samuel of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2025-0031 | Weblication CMS Core 019.004.000.000 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Product: Weblication CMS CoreAffected Version: 019.004.000.000Vulnerability Type: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (CWE-79)Security Risk: CriticalVendor:\u00a0Scholl Communications AGVendor URL: https:\/\/weblication.deVendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2025-52161CVE Link: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-52161Advisory ID: usd-2025-0031 Description Weblication CMS [&hellip;]<\/p>\n","protected":false},"author":119,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-24356","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/119"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=24356"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24356\/revisions"}],"predecessor-version":[{"id":24524,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24356\/revisions\/24524"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=24356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}