CVE-2025-2123 — Cross-site Scripting in Geshi

CWE-79 — Cross-site Scripting CWE-94 — Code Injection5 documents4 sources

Severity

5.1MEDIUMNVD

EPSS

0.1%

top 70.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qbnz Geshi Debian Geshi Geshi

Timeline

PublishedMar 9

Description

A vulnerability, which was classified as problematic, has been found in GeSHi up to 1.0.9.1. Affected by this issue is the function get_var of the file /contrib/cssgen.php of the component CSS Handler. The manipulation of the argument default-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶debiandebian/geshi< geshi 1.0.8.4-2 (bookworm)

▶Debianqbnz/geshi< 1.0.8.4-2+3

▶NVDqbnz/geshi1.0.9.1

▶Packagistgeshi/geshi1.0.9.1

▶CVEListV5qbnz/geshi1.0.9.0, 1.0.9.1+1

🔴Vulnerability Details

OSV

CVE-2025-2123: A vulnerability, which was classified as problematic, has been found in GeSHi up to 1↗2025-03-09

▶

GHSA

GeSHi XSS possible in the get_var function of /contrib/cssgen.php↗2025-03-09

▶

OSV

GeSHi XSS possible in the get_var function of /contrib/cssgen.php↗2025-03-09

▶

📋Vendor Advisories

Debian

CVE-2025-2123: geshi - A vulnerability, which was classified as problematic, has been found in GeSHi up...↗2025

▶