Platform
other
Component
warehouse
Fixed in
1.0.1
CVE-2025-0398 is a problematic cross-site scripting (XSS) vulnerability discovered in Longpi1 Warehouse version 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'remark' argument within the /resources/..;/inport/updateInport endpoint. Affected users should upgrade to version 1.0.1 to address this issue.
Successful exploitation of CVE-2025-0398 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This could lead to session hijacking, credential theft, or defacement of the warehouse application. The vulnerability's remote accessibility significantly broadens the attack surface, potentially impacting any user interacting with the affected endpoint. While the CVSS score is LOW, the potential for user data compromise and application manipulation warrants prompt remediation.
This vulnerability was publicly disclosed on 2025-01-12. A proof-of-concept exploit is likely available given the public disclosure. The vulnerability is not currently listed on CISA KEV. The LOW CVSS score suggests a relatively low probability of widespread exploitation, but the ease of exploitation and potential impact necessitate prompt action.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0398 is to upgrade Longpi1 Warehouse to version 1.0.1, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'remark' parameter within the /resources/..;/inport/updateInport endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the 'remark' parameter and verifying that it is properly sanitized.
Update to a patched version or apply the security measures provided by the vendor to mitigate the XSS vulnerability. Validate and sanitize user inputs, especially the 'remark' field, to prevent the injection of malicious code. If no patch is available, consider disabling or restricting access to the affected functionality.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0398 is a cross-site scripting (XSS) vulnerability affecting Longpi1 Warehouse version 1.0, allowing attackers to inject malicious scripts through the 'remark' parameter.
If you are using Longpi1 Warehouse version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade Longpi1 Warehouse to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'remark' parameter.
While there's no confirmed active exploitation at this time, the public disclosure and ease of exploitation suggest it could be targeted.
Refer to the Longpi1 Warehouse official website or security advisories for the latest information and updates regarding CVE-2025-0398.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.