Platform
java
Component
javasec
Fixed in
3.0.1
CVE-2025-2207 is a problematic cross-site scripting (XSS) vulnerability identified in aitangbao springboot-manager versions 3.0. This flaw allows attackers to inject malicious scripts, potentially leading to session hijacking or defacement. The vulnerability specifically impacts the /sys/dept file, and a fix is available in version 3.0.1.
An attacker can exploit CVE-2025-2207 by manipulating the 'name' argument within the /sys/dept endpoint of the springboot-manager application. Successful exploitation allows the injection of arbitrary JavaScript code, which will be executed in the context of the user's browser. This can lead to the theft of session cookies, redirection to malicious websites, or modification of the application's content. The impact is amplified if the application handles sensitive user data or performs critical operations, as an attacker could leverage the injected script to compromise user accounts or disrupt service.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation in most environments. No active campaigns or KEV listing are currently associated with this CVE as of the publication date. The vendor's lack of response is concerning and warrants further investigation.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2207 is to immediately upgrade springboot-manager to version 3.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /sys/dept endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can also be configured to detect and block XSS attempts targeting this endpoint. Verify the upgrade by attempting to access the /sys/dept endpoint with a known malicious payload after the upgrade; it should be properly sanitized.
Update to a patched version of springboot-manager that resolves the Cross-Site Scripting (XSS) vulnerability. If no version is available, it is recommended to validate and sanitize user inputs in the 'name' parameter of the /sys/dept endpoint to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2207 is a cross-site scripting (XSS) vulnerability in aitangbao springboot-manager version 3.0, allowing attackers to inject malicious scripts via the /sys/dept endpoint.
You are affected if you are running aitangbao springboot-manager version 3.0 and the /sys/dept endpoint is accessible. Upgrade to 3.0.1 to mitigate the risk.
Upgrade to version 3.0.1 or later. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.
While publicly disclosed, there's no confirmed active exploitation as of the publication date. However, the availability of a proof-of-concept increases the risk.
Due to the vendor's lack of response, a formal advisory may not be available. Monitor security news sources and community forums for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.