CVE-2025-65572

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-65572
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65572.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-65572
Published
2025-12-09T19:15:49.533Z
Modified
2026-04-10T05:34:06.299887Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.0606 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in statusmessages.php will print out the error messages and execute the script injected by the attacker.

References

Affected packages

Git / github.com/AllskyTeam/allsky

Affected ranges

Type
GIT
Repo
https://github.com/AllskyTeam/allsky
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
171b15cac1eb5ec972fea85e596ab8e2b74e2ba1
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2024.12.06_06"
        }
    ]
}

Affected versions

V0.*
V0.2
V0.4
v0.*
v0.5
v0.6
v0.7
v2022.*
v2022.03.01
v2023.*
v2023.05.01
v2023.05.01_03
v2023.05.01_04
v2023.05.01_05
v2024.*
v2024.12.06
v2024.12.06_01
v2024.12.06_02
v2024.12.06_03
v2024.12.06_04
v2024.12.06_05
v2024.12.06_06

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65572.json"