Platform
vue
Component
public_exp
Fixed in
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
A cross-site scripting (XSS) vulnerability has been discovered in vue3-element-admin versions 3.0 through 3.4.0. This flaw resides within the Notice Handler component, specifically the file src/views/system/notice/index.vue. Successful exploitation allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability is publicly exploitable and a fix is available in version 3.4.1.
The XSS vulnerability in vue3-element-admin allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, defacing the application, and injecting malware. Given the public availability of an exploit, the risk of exploitation is significant, particularly for systems running vulnerable versions. The impact is amplified if the application handles sensitive data or is used in critical business processes.
This vulnerability is publicly exploitable, with a proof-of-concept readily available. It was disclosed on 2025-12-31. The CVSS score is 2.4 (LOW), indicating a relatively low likelihood of widespread exploitation, but the public availability of the exploit increases the risk. The vendor was contacted but did not respond. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15372 is to upgrade to version 3.4.1 or later of vue3-element-admin. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on the src/views/system/notice/index.vue component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security rules to reflect the latest threat intelligence.
Update vue3-element-admin to a version later than 3.4.0 to fix the XSS vulnerability. If updating is not possible, review and sanitize user inputs in the file src/views/system/notice/index.vue to prevent the injection of malicious code. Consider implementing input validation and output encoding to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15372 is a cross-site scripting (XSS) vulnerability affecting vue3-element-admin versions 3.0 through 3.4.0, allowing attackers to inject malicious scripts.
You are affected if you are using vue3-element-admin versions 3.0, 3.1, 3.2, 3.3, or 3.4.0. Upgrade to 3.4.1 or later to resolve the issue.
Upgrade to version 3.4.1 or later of vue3-element-admin. Consider input validation and output encoding as a temporary workaround.
A public exploit exists, indicating a potential for active exploitation. Monitor your systems closely and apply the fix promptly.
Check the vue3-element-admin GitHub repository and release notes for the advisory and update instructions.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.