प्लेटफ़ॉर्म
vue
घटक
public_exp
में ठीक किया गया
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
A cross-site scripting (XSS) vulnerability has been discovered in vue3-element-admin versions 3.0 through 3.4.0. This flaw resides within the Notice Handler component, specifically the file src/views/system/notice/index.vue. Successful exploitation allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability is publicly exploitable and a fix is available in version 3.4.1.
The XSS vulnerability in vue3-element-admin allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, defacing the application, and injecting malware. Given the public availability of an exploit, the risk of exploitation is significant, particularly for systems running vulnerable versions. The impact is amplified if the application handles sensitive data or is used in critical business processes.
This vulnerability is publicly exploitable, with a proof-of-concept readily available. It was disclosed on 2025-12-31. The CVSS score is 2.4 (LOW), indicating a relatively low likelihood of widespread exploitation, but the public availability of the exploit increases the risk. The vendor was contacted but did not respond. This vulnerability is not currently listed on the CISA KEV catalog.
Applications utilizing vue3-element-admin versions 3.0 through 3.4.0 are at risk. This includes projects that directly integrate the component or rely on it as a dependency. Shared hosting environments where multiple applications share the same codebase are particularly vulnerable, as a compromise of one application could potentially affect others.
• vue: Inspect the src/views/system/notice/index.vue file for suspicious JavaScript code or unusual DOM manipulation patterns.
• generic web: Monitor access logs for requests containing unusual or obfuscated JavaScript payloads targeting the Notice Handler component.
• generic web: Use browser developer tools to identify any unexpected JavaScript execution or DOM modifications on the Notice Handler page.
• generic web: Check response headers for the presence of Content Security Policy (CSP) directives that could mitigate XSS attacks.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (14% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-15372 is to upgrade to version 3.4.1 or later of vue3-element-admin. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on the src/views/system/notice/index.vue component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security rules to reflect the latest threat intelligence.
Actualice vue3-element-admin a una versión posterior a 3.4.0 para corregir la vulnerabilidad XSS. Si la actualización no es posible, revise y sanitice las entradas del usuario en el archivo src/views/system/notice/index.vue para prevenir la inyección de código malicioso. Considere implementar validación y codificación de salida para mitigar el riesgo.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-15372 is a cross-site scripting (XSS) vulnerability affecting vue3-element-admin versions 3.0 through 3.4.0, allowing attackers to inject malicious scripts.
You are affected if you are using vue3-element-admin versions 3.0, 3.1, 3.2, 3.3, or 3.4.0. Upgrade to 3.4.1 or later to resolve the issue.
Upgrade to version 3.4.1 or later of vue3-element-admin. Consider input validation and output encoding as a temporary workaround.
A public exploit exists, indicating a potential for active exploitation. Monitor your systems closely and apply the fix promptly.
Check the vue3-element-admin GitHub repository and release notes for the advisory and update instructions.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।