Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

HTML injection in Vox Media's Chorus CMS

Posted date 28/07/2025
Identificador
INCIBE-2025-0407
Importance
3 - Medium
Affected Resources

Chorus CMS.

Description

INCIBE has coordinated the publication of a low-severity vulnerability affecting Vox Media's Chorus CMS. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2025-40730: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N | CWE-79
Solution

No solution has been reported at this time.

Detail

CVE-2025-40730: HTML injection in Vox Media's Chorus CMS. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'q' parameter in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

CVE
Explotación
No
References list
Chorus | Official web
Etiquetas