Platform
java
Component
javasec
Fixed in
3.0.1
CVE-2025-2211 is a cross-site scripting (XSS) vulnerability identified in aitangbao springboot-manager version 3.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability specifically impacts the /sysDictDetail/add endpoint, where manipulation of the 'name' argument can trigger the XSS. A fix is available in version 3.0.1.
Successful exploitation of CVE-2025-2211 allows an attacker to inject arbitrary JavaScript code into the springboot-manager application. This code can then be executed in the context of a victim's browser when they access a vulnerable page. The attacker could steal session cookies, redirect users to malicious websites, or deface the application. The vulnerability's remote accessibility significantly broadens the potential attack surface, as it doesn't require local access to the system. The lack of vendor response raises concerns about the overall security posture of the application and potential unaddressed vulnerabilities.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant immediate attention. No KEV listing or confirmed exploitation campaigns are currently known. The public disclosure date (2025-03-11) indicates that attackers have had time to analyze and potentially develop exploits.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2211 is to upgrade to springboot-manager version 3.0.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the /sysDictDetail/add endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update input validation routines to prevent similar vulnerabilities from arising in the future. After upgrade, confirm by testing the /sysDictDetail/add endpoint with various input strings to ensure no XSS payloads are executed.
Update to a patched version of springboot-manager that resolves the XSS vulnerability. If no version is available, sanitize user inputs in the 'name' field of the /sysDictDetail/add endpoint to prevent malicious code injection. Also review other parameters for similar vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2211 is a cross-site scripting (XSS) vulnerability affecting aitangbao springboot-manager version 3.0, allowing attackers to inject malicious scripts via the /sysDictDetail/add endpoint.
You are affected if you are using aitangbao springboot-manager version 3.0 and have not upgraded to version 3.0.1 or later.
Upgrade to springboot-manager version 3.0.1 or later. Implement input validation and sanitization as a temporary workaround if immediate upgrade is not possible.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Due to lack of vendor response, an official advisory may not be available. Monitor security news sources and aitangbao's website for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.