LOWCVE-2025-14722CVSS 2.4

CVE-2025-14722: XSS in vion707 DMadmin

Platform

php

Component

zzz

Fixed in

3403.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-14722 describes a cross-site scripting (XSS) vulnerability discovered in vion707 DMadmin, affecting versions up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. Successful exploitation allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. A fix is available in version 3403.0.1.

Impact and Attack Scenarios

This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the DMadmin interface. An attacker could leverage this to steal user credentials, redirect users to malicious websites, or deface the application. The impact is amplified if DMadmin is used to manage sensitive data or control critical infrastructure, as an attacker could potentially gain unauthorized access and control. The publicly disclosed nature of the exploit increases the likelihood of exploitation, especially given the vendor's lack of response to the disclosure.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW (2.4), the public availability of the exploit makes it a significant concern. The vendor's lack of response to the disclosure further exacerbates the risk, suggesting that a patch may not be prioritized. There is no indication of this being added to the CISA KEV catalog or active exploitation campaigns at this time.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentzzz

Vendorvion707

Affected rangeFixed in

3403cafdb42537a648c30bf8cbc8148ec60437d1 – 3403cafdb42537a648c30bf8cbc8148ec60437d13403.0.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2025-12-15
Published2025-12-15
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation is to upgrade to version 3403.0.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds such as input validation and output encoding on the Add function within Admin/Controller/AddonsController.class.php. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Add function and verifying that it is properly sanitized.

How to fix

Update DMadmin to a version later than 3403cafdb42537a648c30bf8cbc8148ec60437d1. If no updates are available, review and sanitize user inputs in the file Admin/Controller/AddonsController.class.php, Add function, to prevent malicious code injection.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-14722 — XSS in vion707 DMadmin?

CVE-2025-14722 is a cross-site scripting (XSS) vulnerability in vion707 DMadmin versions up to 3403cafdb42537a648c30bf8cbc8148ec60437d1, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-14722 in vion707 DMadmin?

You are affected if you are using vion707 DMadmin versions prior to 3403.0.1. Check your version and upgrade if necessary.

How do I fix CVE-2025-14722 in vion707 DMadmin?

Upgrade to version 3403.0.1 or later. As a temporary workaround, implement input validation and output encoding.

Is CVE-2025-14722 being actively exploited?

While there's no confirmed active exploitation, the vulnerability is publicly disclosed, increasing the risk of exploitation.

Where can I find the official vion707 advisory for CVE-2025-14722?

Due to the vendor's lack of response, an official advisory may not be available. Monitor security news sources for updates.