CVE-2025-41046 in CMFinfo

Summary

by MITRE • 09/04/2025

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[Addon][layouts]' and 'data[Addon][layouts_except]' parameters in /apprain/developer/addons/update/960grid.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/05/2025

This vulnerability represents a critical stored cross-site scripting flaw in appRain CMF version 4.0.5 that allows authenticated attackers to inject malicious code into the application's backend. The vulnerability specifically manifests through the 'data[Addon][layouts]' and 'data[Addon][layouts_except]' parameters within the /apprain/developer/addons/update/960grid endpoint, which fails to properly validate or sanitize user input before processing. The flaw occurs when administrators or authorized users interact with the addon management system, creating a persistent security risk that can affect all users of the application.

The technical implementation of this vulnerability stems from insufficient input validation mechanisms within the application's parameter handling system. When legitimate users submit data through the specified parameters, the application stores this input without adequate sanitization or encoding, allowing malicious payloads to be persisted in the database. This stored data is then executed whenever the affected page is accessed, making it a classic stored XSS vulnerability rather than a reflected one. The vulnerability is particularly concerning because it requires authentication but operates within the administrative context, potentially allowing attackers who gain access to valid credentials to escalate their privileges or compromise the entire application.

From an operational impact perspective, this vulnerability creates significant risk for organizations using appRain CMF 4.0.5, as it enables attackers to execute arbitrary JavaScript code in the context of authenticated user sessions. This could lead to session hijacking, data exfiltration, privilege escalation, or complete system compromise. The attack vector requires an authenticated user context, which means that attackers must first obtain valid credentials, but once achieved, they can leverage this vulnerability to maintain persistent access and conduct further reconnaissance or exploitation activities. The stored nature of the vulnerability means that the malicious code remains active until manually removed from the database, creating a long-term security risk for affected systems.

Organizations should immediately implement mitigations including input validation and sanitization of all user-supplied data, particularly within administrative interfaces. The fix should involve implementing proper output encoding when rendering user data, implementing Content Security Policy headers to limit script execution, and conducting thorough input validation to reject potentially malicious payloads. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for initial access through malicious file downloads, though in this case the attack occurs through legitimate administrative functions. System administrators should also consider implementing web application firewalls to detect and block suspicious parameter values, and conduct regular security audits of administrative interfaces to identify similar input validation gaps. The vulnerability highlights the importance of secure coding practices and proper input sanitization in all application components, particularly those handling user-supplied data in administrative contexts.

Responsible

INCIBE

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00162

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!