Platform
java
Component
javasec
Fixed in
3.0.1
CVE-2025-2209 is a problematic cross-site scripting (XSS) vulnerability discovered in aitangbao springboot-manager version 3.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'name' argument within the /sysDict/add function. Affected users should upgrade to version 3.0.1 to mitigate this risk, as the vulnerability has been publicly disclosed.
Successful exploitation of CVE-2025-2209 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the application. The vulnerability's location within the /sysDict/add function suggests that user-supplied data is not properly sanitized before being rendered, making it susceptible to injection. Given the public disclosure, the risk of exploitation is elevated, particularly if the application is exposed to untrusted user input.
CVE-2025-2209 has been publicly disclosed, increasing the likelihood of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept (PoC) code may be available or emerge, further accelerating potential exploitation. The vendor's lack of response to the disclosure is concerning and warrants increased vigilance.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2209 is to upgrade to springboot-manager version 3.0.1, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the /sysDict/add endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Thoroughly review and update any existing security policies to address XSS vulnerabilities.
Update springboot-manager to a patched version that resolves the Cross-Site Scripting (XSS) vulnerability. If a patched version is not available, sanitize user inputs in the 'name' parameter of the /sysDict/add endpoint to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2209 is a cross-site scripting (XSS) vulnerability in aitangbao springboot-manager version 3.0, affecting the /sysDict/add function. Attackers can inject malicious scripts by manipulating the 'name' argument.
Yes, if you are using aitangbao springboot-manager version 3.0 and have not upgraded to 3.0.1, you are vulnerable to this XSS attack.
Upgrade to version 3.0.1. As a temporary workaround, implement input validation and output encoding on the /sysDict/add endpoint.
The vulnerability has been publicly disclosed, increasing the risk of active exploitation. Monitor your systems for suspicious activity.
Due to the vendor's lack of response, a formal advisory may not be available. Monitor security news sources and vulnerability databases for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.