CVE-2025-2123: GeSHi CSS cssgen.php get_var cross site scripting
Description
A vulnerability, which was classified as problematic, has been found in GeSHi up to 1.0.9.1. Affected by this issue is the function get_var of the file /contrib/cssgen.php of the component CSS Handler. The manipulation of the argument default-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Eine problematische Schwachstelle wurde in GeSHi bis 1.0.9.1 entdeckt. Es geht hierbei um die Funktion get_var der Datei /contrib/cssgen.php der Komponente CSS Handler. Dank Manipulation des Arguments default-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2025-2123
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.1
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected Products
Vendor: n/a
Product: GeSHi
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 6.82% (scored less or equal to compared to others)
EPSS Date: 2025-04-07 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2123https://vuldb.com/?id.299036
https://vuldb.com/?ctiid.299036
https://vuldb.com/?submit.507418
https://github.com/GeSHi/geshi-1.0/issues/159
https://github.com/GeSHi/geshi-1.0/issues/159#issue-2880408694