Primary

Context

GeSHi Cross-Site Scripting Vulnerability in CSS Handler Component

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in GeSHi versions through 1.0.9.1. The issue resides in the CSS Handler component, specifically within the 'get_var' function of the 'contrib/cssgen.php' file. This vulnerability allows remote attackers to inject malicious HTML, which is executed when the affected page is viewed. The flaw impacts systems that use Composer to install the GeSHi library and have not removed the 'contrib' directory. Affected applications may include Dokuwiki, Mambo, phpBB, and WikkaWiki.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a request to 'contrib/cssgen.php' with crafted 'default-styles', 'keywords-1', 'comments', and 'escaped-chars' parameters containing malicious JavaScript, such as a script tag alerting the document cookie.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

4.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

4.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GeSHi Cross-Site Scripting Vulnerability in CSS Handler Component

Vulnerability

Impact

Reproduction

Affected Products

GeSHi

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating