Full Report
CERT Polska has received a report about 8 vulnerabilities (from CVE-2025-59110 to CVE-2025-59117) found in Windu CMS software.
Analysis Summary
This summary consolidates the information for the eight vulnerabilities discovered in Windu CMS software (CVE-2025-59110 through CVE-2025-59117).
---
# Vulnerability: Multiple Flaws in Windu CMS (CSRF, XSS, Auth Bypass)
## CVE Details
The following CVEs have been reported, but specific CVSS scores are not provided in the source text. *Severity assessment should be performed upon availability of full CVSS vectors.*
| CVE ID | Vulnerability Type (CWE) |
| :--- | :--- |
| CVE-2025-59110 | Cross-Site Request Forgery (CSRF) (CWE-352) |
| CVE-2025-59111 | Incorrect Authorization (CWE-863) |
| CVE-2025-59112 | Cross-Site Request Forgery (CSRF) (CWE-352) |
| CVE-2025-59113 | Improper Restriction of Excessive Authentication Attempts (CWE-307) |
| CVE-2025-59114 | Cross-Site Request Forgery (CSRF) (CWE-352) |
| CVE-2025-59115 | Stored Cross-Site Scripting (XSS) (CWE-79) |
| CVE-2025-59116 | Observable Response Discrepancy (User Enumeration) (CWE-204) |
| CVE-2025-59117 | Stored Cross-Site Scripting (XSS) (CWE-79) |
## Affected Systems
- **Products:** Windu CMS (Vendor: JCD)
- **Versions:** 4.1 (before build 2250)
- **Configurations:** Affects instances running Windu CMS version 4.1 prior to the specified build.
## Vulnerability Description
This report covers eight distinct vulnerabilities, primarily related to authentication robustness, authorization bypass, and injection flaws:
1. **CSRF (CVE-2025-59110):** The CSRF protection mechanism in user editing functionality can be bypassed using the CSRF token of another user. This bypass allowed an attacker to send a GET request to delete Super Administrators, bypassing GUI restrictions.
2. **Incorrect Authorization (CVE-2025-59111):** Flaw in authorization that allows unauthorized actions.
3. **CSRF (CVE-2025-59112):** An attacker can force an administrator to execute a POST request via a malicious website, leading to the deletion of other users.
4. **Weak Brute-Force Protection (CVE-2025-59113):** Brute-force protection relies only on the client-side parameter `loginError`, allowing an attacker to bypass attempt counting/timeout protection by resetting this parameter server-side.
5. **CSRF (CVE-2025-59114):** CSRF vulnerability in file uploading functionality, allowing an attacker to force a victim to upload malicious files to the server.
6. **Stored XSS (CVE-2025-59115):** Stored XSS on the logon page due to lack of input validation, allowing injection of HTML/JS which executes upon admin review of logs.
7. **User Enumeration (CVE-2025-59116):** Differences in logon response messages allow an attacker to determine if a supplied username is valid, facilitating targeted brute-force attacks.
8. **Stored XSS (CVE-2025-59117):** Multiple Stored XSS vulnerabilities present in the page editing endpoint (`/windu/admin/content/pages/edit`), exploitable by privileged users, potentially targeting higher-privileged users.
## Exploitation
- **Status:** Information on active exploitation is **Not specified**.
- **Complexity:** Due to multiple CSRF and XSS vectors, complexity likely ranges from **Low** (for simple CSRF/XSS) to **Medium** (for authorization bypass requiring specific token manipulation).
- **Attack Vector:** Primarily **Network** (via crafted web links for CSRF, or direct access for XSS/Auth issues).
## Impact
| Component | Impact Summary (Inferred based on vulnerability type) |
| :--- | :--- |
| **Confidentiality** | **High** (XSS can lead to session hijacking or data leakage; User Enumeration aids targeted credential harvesting). |
| **Integrity** | **High** (CSRF allowing user/admin deletion, file uploads, or unauthorized actions). |
| **Availability** | **Medium** (Unauthorized user deletion could impact system access/availability). |
## Remediation
### Patches
- **Fixed Version:** Windu CMS **4.1 build 2250** and later versions contain fixes for all reported vulnerabilities.
### Workarounds
- No official workarounds were explicitly detailed in the summary provided, but general mitigation steps (listed below) should be applied until patching is complete.
## Detection
- **Indicators of Compromise:**
- Unexpected administrative actions (user deletions, file uploads).
- Anomalous login attempts exhibiting enumeration patterns.
- Presence of undocumented scripts or HTML in administrative logs or page content storage.
- **Detection Methods and Tools:**
- Web Application Firewalls (WAFs) tuned to detect malicious payloads commonly associated with XSS and unauthorized POST requests.
- Log review focusing on requests to user management and file upload endpoints from unexpected sources.
- Patch management systems tracking Windu CMS version status.
## References
- Vendor Advisory: N/A (Information derived from CERT Polska advisory published 18 November 2025 and updated 5 December 2025)
- Relevant Links:
- hxxps://www.cve.org/CVERecord?id=CVE-2025-59110 (and related CVE links)
- hxxps://cert.pl/en/cvd/ (For CVD process details)