BEMO Album - Reflected cross-site scripting (XSS)
Summary
| Name | BEMO Album 4. - Reflected cross-site scripting (XSS) |
| Code name | skims-0036 |
| Product | BEMO Album |
| Affected versions | Version 4. |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31309 |
Description
BEMO Album 4. was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/classes/class.Image_To_Album_Table .php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in BEMO Album 4.. The following is the output of the tool:
Skims output
643 | function tt_render_list_page()
644 | {
645 |
646 | //Create an instance of our package class...
647 | $testListTable = new Image_To_Album_Table();
648 | //Fetch, prepare, sort, and filter our data...
649 | $testListTable->prepare_items();
650 |
651 | ?>
652 | <div class=""wrap"">
653 |
654 | <div id=""icon-users"" class=""icon32""><br/></div>
655 |
656 | <!-- Forms are NOT created automatically, so you need to wrap the table in one to use features like bulk actions
657 | <form id=""pictures-filter"" method=""get"">
658 | <!-- For plugins, we also need to ensure that the form posts back to our current page -->
> 659 | <input type=""hidden"" name=""page"" value=""<?php echo $_REQUEST['page'] ?>"" />
660 | <!-- Now we can render the completed list table -->
661 | <?php $testListTable->display() ?>
662 | </form>
663 |
664 | </div>
665 | <?php
666 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31309 to refer to this issue from now on.
System Information
- Product: BEMO Album
- Version: 4.
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
