Miggo Logo
Miggo Vulnerability Database
CVE-2025-61413

CVE-2025-61413: Piranha CMS vulnerable to stored cross-site scripting (XSS)

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-61413
GHSA ID
GHSA-3qcp-9v8c-6jp7
EPSS Score
-
CWE
CWE-79
Published
10/23/2025
Updated
10/23/2025
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
Piranhanuget<= 12.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Piranha CMS manager interface, specifically within the page editor's content blocks. The analysis of the patch commit 0a1e5081b9e954856ad9fe641335ab049b27090d reveals that the vulnerability existed in how user input was handled in certain Vue.js components.

In the quote-block component, the onAuthorBlur and onBodyBlur methods directly assigned user-provided innerText to the data model. This was unsafe because the text was not sanitized, allowing HTML and script injection.

In the text-block component, the v-model directive was used on a textarea. This created a direct, unsanitized two-way data binding between the user's input and the component's data model. Any content typed by the user was immediately reflected in the model and subsequently stored.

The patch addresses these issues by introducing DOMPurify.sanitize to clean the input in all identified vulnerable locations before it is stored in the data model. The identified functions are the direct entry points for the malicious payloads.

Vulnerable functions

quote-block.onAuthorBlur
core/Piranha.Manager/assets/src/js/components/blocks/quote-block.vue
The function directly assigned the `innerText` of a user-editable element to the data model without sanitization. An attacker could provide a crafted payload that would be stored and later rendered as HTML, leading to a stored cross-site scripting (XSS) vulnerability.
quote-block.onBodyBlur
core/Piranha.Manager/assets/src/js/components/blocks/quote-block.vue
Similar to `onAuthorBlur`, this function assigned the `innerText` of a user-editable element to the data model without sanitization. This allowed for the injection of malicious scripts, which would be stored and executed when the content is rendered.
text-block.(v-model)
core/Piranha.Manager/assets/src/js/components/blocks/text-block.vue
The component used the `v-model` directive to bind user input from a textarea directly to the `model.body.value`. This two-way binding updated the model on every input event without any sanitization. This allowed an attacker to inject a malicious payload into the markdown block, which was then stored and executed in the browser of users viewing the page. The patch replaces `v-model` with a manual `onChange` handler that sanitizes the input.

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* (XSS) vuln*r**ility in t** /m*n***r/p***s *ompon*nt o* Pir*n** *MS v**.* *llows *tt**k*rs to *x**ut* *r*itr*ry w** s*ripts or *TML vi* *r**tin* * p*** *n* inj**tin* * *r**t** p*ylo** into t** M*rk*own *lo*ks.

Reasoning

T** vuln*r**ility is * stor** *ross-Sit* S*riptin* (XSS) issu* in t** Pir*n** *MS m*n***r int*r****, sp**i*i**lly wit*in t** p*** **itor's *ont*nt *lo*ks. T** *n*lysis o* t** p*t** *ommit `****************************************` r*v**ls t**t t** vu