CVE-2025-65271

HIGH

Azuriom < 1.2.7 - Authenticated Client-Side Template Injection via Admin Dashboard

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-65271. PoCs published by 1337Skid.

AI-analyzed exploit summary This PoC demonstrates a client-side template injection (CSTI) vulnerability in Azuriom CMS, allowing a low-privilege user to execute arbitrary template code in the context of an administrator's session. The exploit involves serving a malicious JavaScript payload via a controlled server to escalate privileges.

Description

Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.

Exploits (1)

nomisec WORKING POC 3 stars

by 1337Skid · poc

https://github.com/1337Skid/CVE-2025-65271

View Code ZIP pw:eip

This PoC demonstrates a client-side template injection (CSTI) vulnerability in Azuriom CMS, allowing a low-privilege user to execute arbitrary template code in the context of an administrator's session. The exploit involves serving a malicious JavaScript payload via a controlled server to escalate privileges.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Azuriom CMS < 1.2.7

Auth required

Prerequisites: Access to a low-privilege user account in Azuriom CMS · Ability to serve a malicious JavaScript payload via a controlled server

MITRE ATT&CK