Plateforme
javascript
Composant
1panel-dev/maxkb
Corrigé dans
2.4.1
2.4.2
2.5.0
CVE-2025-15632 describes a cross-site scripting (XSS) vulnerability discovered in 1Panel-dev MaxKB. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions 2.4.0 through 2.5.0 and has been publicly disclosed. A fix is available in version 2.5.0.
Successful exploitation of CVE-2025-15632 allows an attacker to inject arbitrary JavaScript code into the 1Panel-dev MaxKB application. This can be leveraged to steal user session cookies, redirect users to malicious websites, or modify the content displayed within the application. The impact is particularly concerning given that the vulnerability is remotely exploitable, meaning an attacker does not need to be authenticated to launch an attack. The attack targets the MdPreview component within the ui/src/chat.ts file, suggesting a potential weakness in how user input is handled and sanitized within the chat functionality.
CVE-2025-15632 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability is considered LOW severity according to CVSS, but the ease of remote exploitation warrants attention. Public proof-of-concept (PoC) code may become available, further accelerating exploitation attempts. The vulnerability was disclosed on 2026-04-13. The vendor responded professionally and quickly released a fixed version.
Organizations using 1Panel-dev MaxKB in production environments, particularly those with publicly accessible chat functionality, are at risk. Shared hosting environments where multiple users share the same 1Panel-dev MaxKB instance are also at increased risk, as an attacker could potentially compromise other users through this vulnerability.
• javascript / web: Examine the ui/src/chat.ts file for improper input sanitization or output encoding. Look for instances where user-supplied data is directly inserted into the DOM without proper escaping.
• generic web: Monitor access logs for suspicious requests containing JavaScript payloads targeting the chat functionality.
• generic web: Use a browser developer console to test for XSS vulnerabilities by injecting simple payloads into the chat input field.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-15632 is to upgrade 1Panel-dev MaxKB to version 2.5.0 or later, which includes the fix (patch 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8). If immediate upgrading is not possible, consider implementing input validation and output encoding on the affected component (MdPreview) to prevent the injection of malicious scripts. While a WAF might offer some protection, it's not a substitute for patching. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the chat functionality and verifying that it does not execute.
Mettez à jour le composant MaxKB à la version 2.5.0 ou supérieure pour atténuer la vulnérabilité de Cross-Site Scripting (XSS). La mise à jour inclut une correction pour la fonction affectée dans le fichier ui/src/chat.ts du composant MdPreview. Consultez la documentation de 1Panel-dev pour obtenir des instructions de mise à jour spécifiques.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-15632 is a cross-site scripting (XSS) vulnerability affecting 1Panel-dev MaxKB versions 2.4.0 through 2.5.0, allowing attackers to inject malicious scripts.
You are affected if you are using 1Panel-dev MaxKB versions 2.4.0 to 2.5.0. Upgrade to version 2.5.0 or later to resolve the issue.
Upgrade 1Panel-dev MaxKB to version 2.5.0 or later. Apply input validation and output encoding as a temporary workaround if upgrading is not immediately possible.
The vulnerability has been publicly disclosed, increasing the risk of exploitation. Monitor your systems for suspicious activity.
Contact 1Panel-dev directly for the official advisory. The patch identifier is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.