Platform
java
Component
springboot-ucan-admin
Fixed in
5.0.1
A Cross-Site Scripting (XSS) vulnerability has been identified in springboot-ucan-admin, affecting versions up to 5f35162032cbe9288a04e429ef35301545143509. This vulnerability resides within the Personal Settings Interface (/ucan-admin/index) and allows for remote exploitation. The vulnerability has been publicly disclosed, increasing the risk of immediate attacks. A fix is available in version 5.0.1.
Successful exploitation of CVE-2025-3393 allows an attacker to inject malicious scripts into the springboot-ucan-admin application. This can lead to the theft of sensitive user data, including session cookies and authentication tokens. An attacker could leverage this to impersonate legitimate users, gain unauthorized access to resources, and potentially compromise the entire system. The public disclosure of the exploit significantly increases the likelihood of widespread exploitation, particularly targeting systems running vulnerable versions of springboot-ucan-admin.
CVE-2025-3393 has been publicly disclosed, indicating a higher probability of exploitation. While the CVSS score is LOW, the public availability of the exploit makes it a significant risk. There is no indication of active campaigns targeting this vulnerability at the time of writing, but the disclosure increases the likelihood of future exploitation attempts. The vulnerability was published on 2025-04-08.
Exploit Status
EPSS
0.12% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3393 is to upgrade to version 5.0.1 of springboot-ucan-admin. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and output encoding on the /ucan-admin/index endpoint. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Carefully review and sanitize all user-supplied input before rendering it in the application. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the /ucan-admin/index endpoint and verifying that it is properly sanitized.
Update to a patched version of springboot-ucan-admin that resolves the XSS vulnerability. If no version is available, review and sanitize user inputs in the personal settings interface to prevent malicious code injection. Consult the provided references for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3393 is a Cross-Site Scripting (XSS) vulnerability affecting springboot-ucan-admin versions up to 5f35162032cbe9288a04e429ef35301545143509, allowing attackers to inject malicious scripts.
You are affected if you are running springboot-ucan-admin versions prior to 5.0.1 and have the /ucan-admin/index endpoint accessible.
Upgrade to version 5.0.1 of springboot-ucan-admin. As a temporary workaround, implement input validation and output encoding.
While there's no confirmed active exploitation, the public disclosure of the exploit increases the risk of future attacks.
Refer to the springboot-ucan-admin project's official documentation or security advisories for details on this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.