AItoSocial - Reflected cross-site scripting (XSS)
Summary
| Name | AItoSocial 1.0. - Reflected cross-site scripting (XSS) |
| Code name | skims-0052 |
| Product | AItoSocial |
| Affected versions | Version 1.0. |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31316 |
Description
AItoSocial 1.0. was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/App/Pages/Share/Views/Modals/add.p hp.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in AItoSocial 1.0.. The following is the output of the tool:
Skims output
124 | </div>
125 | <div class=""fsp-col-12 fsp-col-lg-6 fsp-share-rightcol"">
126 | <?php Pages::controller( 'Base', 'MetaBox', 'post_meta_box', [
127 | 'post_id' => $fsp_params[ 'post_id' ]
128 | ] ); ?>
129 | </div>
130 | </div>
131 |
132 | <script>
133 | FSPObject.saveID = <?php echo (int) $fsp_params[ 'post_id' ]; ?>;
> 134 | FSPObject.scheduleDate = ""<?php echo $_POST[ 'schedule_date' ]; ?>"";
135 | jQuery( document ).ready( function () {
136 | FSPoster.load_script( '<?php echo Pages::asset( 'Base', 'js/fsp.js' ); ?>' );
137 | FSPoster.load_script( '<?php echo Pages::asset( 'Share', 'js/fsp-share.js' ); ?>' );
138 | } );
139 | </script>
140 | </div>
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31316 to refer to this issue from now on.
System Information
- Product: AItoSocial
- Version: 1.0.
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
