Plateforme
other
Composant
wangmarket
Corrigé dans
4.0.1
4.1.1
4.2.1
4.3.1
4.4.1
4.5.1
4.6.1
4.7.1
4.8.1
4.9.1
A cross-site scripting (XSS) vulnerability has been discovered in xnx3 wangmarket versions 4.0 to 4.9. This flaw resides within the variableList function of the /admin/system/variableList.do file, specifically affecting the Description argument. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising administrative sessions and sensitive data. A public exploit is available, highlighting the urgency of remediation.
The XSS vulnerability in xnx3 wangmarket allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a variety of malicious actions, including session hijacking, defacement of the administrative interface, and theft of sensitive information such as user credentials or configuration data. Given the administrative context, a successful attack could grant the attacker significant control over the system. The availability of a public exploit significantly increases the likelihood of exploitation, making this a high-priority concern. The impact is amplified if the system handles sensitive data or is integrated with other critical systems.
This vulnerability is publicly known with a proof-of-concept exploit available. It has been added to the NVD database and is considered a low-severity vulnerability based on the CVSS score of 2.4. While the exploit is public, active exploitation campaigns have not been widely reported as of the publication date. The vendor's lack of response to early disclosure attempts raises concerns about the ongoing maintenance and security of the software.
Administrators and users with access to the /admin/system/variableList.do interface are at direct risk. Organizations deploying xnx3 wangmarket in production environments, particularly those without robust input validation and output encoding practices, are highly vulnerable. Shared hosting environments where multiple users share the same instance of the software are also at increased risk.
• generic web: Use curl to test the /admin/system/variableList.do endpoint with a malicious payload in the Description parameter. Examine the response for signs of script execution.
curl 'http://<target>/admin/system/variableList.do?Description=<script>alert("XSS")</script>' -s• generic web: Review access logs for requests to /admin/system/variableList.do containing unusual or suspicious characters in the Description parameter.
• generic web: Check response headers for unexpected content or behavior that might indicate XSS activity.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 13%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-15452 is to upgrade to a patched version of xnx3 wangmarket. As no fixed version is specified, thoroughly test any upgrade in a non-production environment before deploying to production. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Description field within /admin/system/variableList.do. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review access logs for suspicious activity, specifically targeting requests to /admin/system/variableList.do with unusual parameters.
Actualice wangmarket a una versión posterior a la 4.9. Si no es posible actualizar, revise y filtre las entradas del campo 'Description' en la función variableList.do para evitar la inyección de código malicioso.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-15452 is a cross-site scripting (XSS) vulnerability affecting xnx3 wangmarket versions 4.0 through 4.9, allowing attackers to inject malicious scripts.
If you are running xnx3 wangmarket versions 4.0 to 4.9, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of xnx3 wangmarket. If upgrading is not immediately possible, implement input validation and output encoding.
While active exploitation campaigns have not been widely reported, a public exploit exists, increasing the risk of attack.
Due to the vendor's lack of response, a direct advisory may not be available. Monitor security news sources and vulnerability databases for updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.