プラットフォーム
other
コンポーネント
warehouse
修正版
1.0.1
CVE-2025-0398 is a problematic cross-site scripting (XSS) vulnerability discovered in Longpi1 Warehouse version 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'remark' argument within the /resources/..;/inport/updateInport endpoint. Affected users should upgrade to version 1.0.1 to address this issue.
Successful exploitation of CVE-2025-0398 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This could lead to session hijacking, credential theft, or defacement of the warehouse application. The vulnerability's remote accessibility significantly broadens the attack surface, potentially impacting any user interacting with the affected endpoint. While the CVSS score is LOW, the potential for user data compromise and application manipulation warrants prompt remediation.
This vulnerability was publicly disclosed on 2025-01-12. A proof-of-concept exploit is likely available given the public disclosure. The vulnerability is not currently listed on CISA KEV. The LOW CVSS score suggests a relatively low probability of widespread exploitation, but the ease of exploitation and potential impact necessitate prompt action.
Organizations utilizing Longpi1 Warehouse version 1.0, particularly those with publicly accessible instances of the /resources/..;/inport/updateInport endpoint, are at risk. Shared hosting environments where multiple users share the same instance of Longpi1 Warehouse are also particularly vulnerable.
disclosure
エクスプロイト状況
EPSS
0.10% (28% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-0398 is to upgrade Longpi1 Warehouse to version 1.0.1, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'remark' parameter within the /resources/..;/inport/updateInport endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the 'remark' parameter and verifying that it is properly sanitized.
Actualizar a una versión parcheada o aplicar las medidas de seguridad proporcionadas por el proveedor para mitigar la vulnerabilidad XSS. Validar y limpiar las entradas del usuario, especialmente el campo 'remark', para evitar la inyección de código malicioso. Si no hay parche disponible, considerar deshabilitar o restringir el acceso a la funcionalidad afectada.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-0398 is a cross-site scripting (XSS) vulnerability affecting Longpi1 Warehouse version 1.0, allowing attackers to inject malicious scripts through the 'remark' parameter.
If you are using Longpi1 Warehouse version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade Longpi1 Warehouse to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'remark' parameter.
While there's no confirmed active exploitation at this time, the public disclosure and ease of exploitation suggest it could be targeted.
Refer to the Longpi1 Warehouse official website or security advisories for the latest information and updates regarding CVE-2025-0398.