Windu CMS 4.1 Vulnerability Advisory: CSRF, XSS, Auth Bypass (CVE-2025-59110-59117)

Critical Vulnerability Information Vulnerability Overview Platform: Windu CMS Version: 4.1 Report Date: November 18, 2025 Vendor: JCD Report Source: CERT Polska Vulnerability Details 1. CVE-2025-59110 - Type: CSRF (CWE-352) - Description: Windu CMS contains a CSRF vulnerability in the user editing functionality, allowing attackers to tamper with CSRF protection mechanisms using user tokens. 2. CVE-2025-59111 - Type: Incorrect Authorization (CWE-863) - Description: The authorization implementation allows attackers with admin privileges to bypass graphical interface restrictions and directly access super-administrator functions via HTTP requests. 3. CVE-2025-59112 - Type: CSRF (CWE-352) - Description: A CSRF vulnerability exists in the user editing functionality, enabling attackers to trick users into visiting malicious websites and automatically submitting POST requests. 4. CVE-2025-59113 - Type: Improper Restriction of Excessive Authentication Attempts (CWE-307) - Description: Failed login attempts and timing are not properly tracked; attackers can bypass brute-force protection by resetting the parameter. 5. CVE-2025-59114 - Type: CSRF (CWE-352) - Description: A CSRF vulnerability exists in the file upload functionality, allowing attackers to trick users into uploading malicious files. 6. CVE-2025-59115 - Type: Stored XSS (CWE-79) - Description: A stored XSS vulnerability exists on the login page, allowing unvalidated HTML/JavaScript code to be rendered and executed. 7. CVE-2025-59116 - Type: Observing Response Discrepancy (CWE-204) - Description: During login, there are communication discrepancies that attackers can exploit to brute-force guess usernames. 8. CVE-2025-59117 - Type: Stored XSS (CWE-79) - Description: An XSS vulnerability exists at the endpoint, allowing malicious script injection that poses a threat to other users.

Goal Reached Thanks to every supporter — we hit 100%!

Windu CMS 4.1 Vulnerability Advisory: CSRF, XSS, Auth Bypass (CVE-2025-59110-59117)