Platform
other
Component
warehouse
Fixed in
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
2.11.1
2.12.1
2.13.1
2.14.1
2.15.1
2.16.1
2.17.1
2.18.1
2.19.1
2.20.1
2.21.1
2.22.1
2.23.1
2.24.1
2.25.1
2.26.1
2.27.1
2.28.1
A cross-site scripting (XSS) vulnerability has been identified in xiweicheng TMS versions 2.0 to 2.28.0. This flaw allows attackers to inject malicious scripts through manipulation of the 'content' argument within the /admin/blog/comment/create endpoint. Successful exploitation could lead to session hijacking or defacement of the administrative interface. A fix is available in version 2.28.1.
The XSS vulnerability in xiweicheng TMS allows an attacker to inject arbitrary JavaScript code into the application. This code will execute in the context of the user's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or modify the content of the application. Given the administrative interface is targeted, a successful attack could grant the attacker control over the entire TMS system, potentially leading to data breaches, system compromise, and reputational damage. The public disclosure of this vulnerability increases the likelihood of exploitation.
This vulnerability was publicly disclosed on 2025-12-17. The vendor, xiweicheng, was contacted but did not respond. The availability of a public proof-of-concept significantly increases the risk of exploitation. While the CVSS score is LOW, the potential impact on administrative access warrants prompt remediation. No KEV listing or confirmed exploitation campaigns are currently known.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14801 is to upgrade xiweicheng TMS to version 2.28.1 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'content' parameter in the /admin/blog/comment/create endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging XSS techniques.
Update xiweicheng TMS to a version later than 2.9 that fixes the XSS vulnerability. If no version is available, consider disabling or removing the affected component until a solution is published. Review and filter user inputs in the createComment function to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14801 is a cross-site scripting (XSS) vulnerability affecting xiweicheng TMS versions 2.0 through 2.28.0, allowing attackers to inject malicious scripts.
You are affected if you are using xiweicheng TMS versions 2.0 to 2.28.0 and have not yet upgraded to version 2.28.1 or later.
Upgrade xiweicheng TMS to version 2.28.1 or later. As a temporary workaround, implement input validation and sanitization on the 'content' parameter.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed and a proof-of-concept exists, increasing the likelihood of exploitation.
Due to the vendor's lack of response, an official advisory may not be available. Monitor security news sources and vulnerability databases for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.