Plateforme
java
Composant
javasec
Corrigé dans
3.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in aitangbao springboot-manager versions 3.0. This flaw affects the /sys/permission file and can be exploited remotely by manipulating the 'name' argument. The vulnerability has been publicly disclosed, and while the vendor has not responded, an upgrade to version 3.0.1 is available to mitigate the risk.
Successful exploitation of CVE-2025-2206 allows an attacker to inject malicious scripts into the springboot-manager application. This can lead to session hijacking, defacement of the application, or redirection of users to malicious websites. The impact is amplified by the remote accessibility of the vulnerability, meaning an attacker does not need local access to exploit it. The lack of vendor response raises concerns about the overall security posture of the application and potential for unaddressed vulnerabilities.
This vulnerability was publicly disclosed on 2025-03-11. The lack of a vendor response is concerning. While no active exploitation campaigns have been publicly reported, the availability of the vulnerability details and its remote accessibility make it a potential target. No KEV listing is currently available.
Organizations deploying aitangbao springboot-manager version 3.0 are at risk. This includes environments where the /sys/permission endpoint is exposed to external users or where user input is not properly validated. Shared hosting environments utilizing this software are particularly vulnerable due to the potential for cross-tenant exploitation.
• java / server:
ps -ef | grep springboot-manager• java / server:
journalctl -u springboot-manager -f | grep "/sys/permission"• generic web:
curl -I 'http://<target>/sys/permission?name=<xss_payload>' | grep 'X-XSS-Protection'disclosure
Statut de l'Exploit
EPSS
0.09% (percentile 25%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-2206 is to upgrade springboot-manager to version 3.0.1. If an immediate upgrade is not feasible, consider implementing input validation on the 'name' parameter within the /sys/permission endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this endpoint can provide an additional layer of defense. Review and harden all other input points in the application to prevent similar vulnerabilities.
Actualizar a una versión parcheada de springboot-manager que solucione la vulnerabilidad de Cross-Site Scripting (XSS). Si no hay una versión parcheada disponible, implementar medidas de sanitización de entrada en el parámetro 'name' del endpoint '/sys/permission' para evitar la inyección de código malicioso.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-2206 is a cross-site scripting (XSS) vulnerability affecting aitangbao springboot-manager version 3.0, allowing remote attackers to inject malicious scripts via the /sys/permission endpoint.
You are affected if you are using aitangbao springboot-manager version 3.0 and have not upgraded to version 3.0.1. The /sys/permission endpoint is the primary target.
Upgrade to version 3.0.1. As a temporary workaround, implement input validation on the 'name' parameter within the /sys/permission endpoint.
While no active exploitation campaigns have been publicly reported, the vulnerability's public disclosure and remote accessibility make it a potential target.
The vendor has not yet released an official advisory. Monitor aitangbao's website and security mailing lists for updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.