Platform
other
Component
product-review
Fixed in
91.0.1
A cross-site scripting (XSS) vulnerability exists in Product-Review 商品评价系统, affecting versions up to 91ead6890b4065bb45b7602d0d73348e75cb4639. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts the 'Write a Review' component and can be exploited remotely. A fix is available in version 91.0.1.
Successful exploitation of CVE-2025-15248 allows an attacker to inject arbitrary JavaScript code into the Product-Review 商品评价系统. This can be leveraged to steal user cookies, redirect users to malicious websites, or modify the content displayed to other users. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it. Given the public availability of an exploit, the risk of immediate exploitation is significant. The blast radius extends to all users of the affected system, particularly those interacting with the 'Write a Review' functionality.
This vulnerability has a LOW CVSS score and a public exploit is available. The project has not responded to the issue report, indicating a potential lack of active maintenance. While not currently listed on CISA KEV, the public exploit makes it a potential target for opportunistic attackers. Monitor threat intelligence feeds for any indications of active exploitation campaigns targeting Product-Review 商品评价系统.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15248 is to upgrade Product-Review 商品评价系统 to version 91.0.1 or later. If an immediate upgrade is not possible, consider implementing input validation and output encoding on the 'Write a Review' component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor application logs for suspicious activity, such as unusual JavaScript execution patterns. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the 'Write a Review' field and verifying that it is properly sanitized.
Update the product-review 商品评价系统 component to a version later than 91ead6890b4065bb45b7602d0d73348e75cb4639. If no version is available, consider disabling or removing the component until a fix is released. Implement input sanitization measures for the 'content' argument to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15248 is a cross-site scripting (XSS) vulnerability in Product-Review 商品评价系统 allowing attackers to inject malicious scripts. It affects versions up to 91ead6890b4065bb45b7602d0d73348e75cb4639.
You are affected if you are using Product-Review 商品评价系统 versions prior to 91.0.1. Check your current version and upgrade immediately.
Upgrade Product-Review 商品评价系统 to version 91.0.1 or later. Implement input validation and output encoding as an interim measure.
A public exploit exists, so active exploitation is possible. Monitor your systems and apply the patch promptly.
The project has not responded to the issue report. Check the project's website or GitHub repository for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.