Plateforme
other
Composant
wangmarket
Corrigé dans
4.0.1
4.1.1
4.2.1
4.3.1
4.4.1
4.5.1
4.6.1
4.7.1
4.8.1
4.9.1
CVE-2025-15451 describes a cross-site scripting (XSS) vulnerability affecting wangmarket versions 4.0 to 4.9. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. A public proof-of-concept is available, indicating the vulnerability's ease of exploitation. The vendor has not yet released a patch.
Successful exploitation of CVE-2025-15451 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's interface. The vulnerability resides in the /admin/system/variableSave.do endpoint, suggesting that administrative users are particularly at risk. Given the public availability of a proof-of-concept, the potential for widespread exploitation is significant.
CVE-2025-15451 has been publicly disclosed and a proof-of-concept is available, indicating a high probability of exploitation. It is not currently listed on CISA KEV. The vulnerability's ease of exploitation, combined with the lack of vendor response, increases the risk of active campaigns targeting vulnerable installations of wangmarket.
Organizations utilizing wangmarket versions 4.0 through 4.9, particularly those with publicly accessible administrative interfaces, are at significant risk. Shared hosting environments where multiple users share the same instance of wangmarket are also vulnerable, as an attacker could potentially compromise other users' accounts.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 13%)
CISA SSVC
Vecteur CVSS
Due to the lack of a vendor-provided patch, immediate mitigation strategies are crucial. Implement strict input validation on the Description parameter within the /admin/system/variableSave.do endpoint. Employ a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this specific endpoint. Consider restricting access to the administrative interface to trusted users only. Regularly monitor application logs for suspicious activity. After implementing these mitigations, verify their effectiveness by attempting to inject a simple XSS payload through the vulnerable parameter.
Actualizar wangmarket a una versión posterior a la 4.9. Si no hay actualizaciones disponibles, se recomienda deshabilitar o eliminar la funcionalidad vulnerable (System Variables Page) o aplicar un parche proporcionado por el proveedor, si existe. Como el proveedor no respondió, se recomienda buscar soluciones alternativas en foros de la comunidad o considerar migrar a una plataforma más segura.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-15451 is a cross-site scripting (XSS) vulnerability in wangmarket versions 4.0 through 4.9, allowing attackers to inject malicious scripts.
You are affected if you are running wangmarket versions 4.0 to 4.9 and have not implemented mitigating controls.
A vendor patch is not currently available. Mitigate by implementing input validation, WAF rules, and restricting access to the administrative interface.
A public proof-of-concept exists, suggesting a high probability of active exploitation.
The vendor has not yet released an advisory for this vulnerability. Monitor the wangmarket website and security mailing lists for updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.