Critical Vulnerability Information CVE ID CVE-2025-63588 CVSS Score CVSS v3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Base Score: 6.1 (Medium) Vulnerability Type Reflected Cross-Site Scripting (XSS) Affected Products and Versions Product: CMSimple_XH Version: 2.0.1 Vulnerability Description The front-end routing parsing code in CMSimple_XH contains a vulnerability when processing dynamic login-related inputs. When a victim accesses a URL crafted by an attacker, the code directly reflects controlled data from the request URI into the generated HTML, leading to arbitrary JavaScript execution in the victim’s browser. This vulnerability is non-persistent and requires the victim to click on a maliciously crafted URL link to be exploited. Impact Client-Side Code Execution: Arbitrary JavaScript can execute within the site’s context. Information Disclosure: Scripts can read DOM content, any client-accessible cookies, or tokens. If session cookies are not marked as HttpOnly, session tokens may be stolen. Session Hijacking / Impersonation: Token leakage may allow account takeover, depending on the victim’s privileges. Phishing / UI Spoofing / Forced Actions: Injected scripts can create fake user interfaces, redirect users, or submit actions on behalf of the victim within their active session. Affected Components The vulnerability originates in the front-end routing code (e.g., or equivalent front controller), which parses dynamic path segments and maps them to page/template variables. Raw path segments (used in CMSimple_XH’s routing, such as Templats...-style fragments) are passed to page templates and injected into HTML attributes without proper HTML attribute encoding or sanitization, allowing or other payloads to be directly rendered. Proof of Concept (PoC) This PoC demonstrates how attacker-supplied input is reflected into the returned HTML and executed in the victim’s browser. Remediation Recommendation A PHP code example is provided for securely outputting an action attribute. ``` > Note: The CVE ID CVE-2025-63588 appears to be an example or placeholder, as CVE IDs typically do not include the year 2025 (since CVEs are assigned in the year they are reported, and 2025 has not yet occurred). Actual CVE IDs are assigned by CVE Numbering Authorities and may differ based on the year of assignment and sequence.