CVE-2025-65271

CVE-2025-65271 is a client-side template injection (CSTI) vulnerability in the admin dashboard of Azuriom CMS, a content management system. It affects versions prior to 1.2.7 and is classified under CWE-94 (Improper Control of Generation of Code ('Code Injection')). The issue arises when plugins or dashboard components render untrusted user input without proper sanitization, enabling the injection and execution of arbitrary template code. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for high impact on confidentiality, integrity, and availability.

A low-privilege user can exploit this vulnerability by submitting malicious input through affected plugins or dashboard components. When an administrator views or interacts with this untrusted input in their session, the injected template code executes in the context of the administrator's browser or session. This allows the attacker to achieve privilege escalation, potentially gaining full administrative control over the CMS instance.

Azuriom addressed the vulnerability in version 1.2.7, with the specific fix implemented in commit 0289175547319add814dcb526e8ba034f1ebc3ec available on the project's GitHub repository (https://github.com/Azuriom/Azuriom). Security practitioners should advise upgrading to Azuriom 1.2.7 or later and reviewing custom plugins for similar input rendering issues. Additional details are documented in the CVE advisory repository at https://github.com/1337Skid/CVE-2025-65271.