Platform
java
Component
javasec
Fixed in
3.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in aitangbao springboot-manager versions 3.0. This flaw affects the /sys/permission file and can be exploited remotely by manipulating the 'name' argument. The vulnerability has been publicly disclosed, and while the vendor has not responded, an upgrade to version 3.0.1 is available to mitigate the risk.
Successful exploitation of CVE-2025-2206 allows an attacker to inject malicious scripts into the springboot-manager application. This can lead to session hijacking, defacement of the application, or redirection of users to malicious websites. The impact is amplified by the remote accessibility of the vulnerability, meaning an attacker does not need local access to exploit it. The lack of vendor response raises concerns about the overall security posture of the application and potential for unaddressed vulnerabilities.
This vulnerability was publicly disclosed on 2025-03-11. The lack of a vendor response is concerning. While no active exploitation campaigns have been publicly reported, the availability of the vulnerability details and its remote accessibility make it a potential target. No KEV listing is currently available.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2206 is to upgrade springboot-manager to version 3.0.1. If an immediate upgrade is not feasible, consider implementing input validation on the 'name' parameter within the /sys/permission endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this endpoint can provide an additional layer of defense. Review and harden all other input points in the application to prevent similar vulnerabilities.
Update to a patched version of springboot-manager that resolves the Cross-Site Scripting (XSS) vulnerability. If a patched version is not available, implement input sanitization measures on the 'name' parameter of the '/sys/permission' endpoint to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2206 is a cross-site scripting (XSS) vulnerability affecting aitangbao springboot-manager version 3.0, allowing remote attackers to inject malicious scripts via the /sys/permission endpoint.
You are affected if you are using aitangbao springboot-manager version 3.0 and have not upgraded to version 3.0.1. The /sys/permission endpoint is the primary target.
Upgrade to version 3.0.1. As a temporary workaround, implement input validation on the 'name' parameter within the /sys/permission endpoint.
While no active exploitation campaigns have been publicly reported, the vulnerability's public disclosure and remote accessibility make it a potential target.
The vendor has not yet released an official advisory. Monitor aitangbao's website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.