CVE-2025-65572

Source
https://cve.org/CVERecord?id=CVE-2025-65572
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65572.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-65572
Published
2025-12-09T00:00:00Z
Modified
2026-07-15T01:49:12.658337275Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.0606 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in statusmessages.php will print out the error messages and execute the script injected by the attacker.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65572.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/allskyteam/allsky

Affected ranges

Type
GIT
Repo
https://github.com/allskyteam/allsky
Events
Database specific
{
    "cpe": "cpe:2.3:a:allskyteam:allsky:2024.12.06_06:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2024.12.06_06"
        },
        {
            "last_affected": "2024.12.06_06"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

2024.*
2024.12.06_06
v2024.*
v2024.12.06_06

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65572.json"