プラットフォーム
java
コンポーネント
mooc
修正版
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
1.9.1
1.10.1
1.11.1
1.12.1
1.13.1
1.14.1
1.15.1
1.16.1
1.17.1
A cross-site scripting (XSS) vulnerability has been identified in yourmaileyes MOOC versions 1.0 to 1.17. This flaw resides within the subreview function of the MainController.java file, specifically the Submission Handler component. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and data. A public proof-of-concept exists, and a fix is available in version 1.17.1.
The XSS vulnerability in yourmaileyes MOOC allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a vulnerable page. Attackers could leverage this to steal session cookies, redirect users to phishing sites, or deface the application. The remote nature of the exploit means attackers don't need local access to the server. Given the public availability of a proof-of-concept, the risk of exploitation is elevated, particularly for systems running unpatched versions of yourmaileyes MOOC.
This vulnerability has a LOW CVSS score of 3.5. A public proof-of-concept has been released, indicating a higher likelihood of exploitation. The vulnerability was reported to the project, but no response has been received as of the publication date. It is recommended to prioritize patching to prevent potential attacks.
Organizations using yourmaileyes MOOC for online learning platforms, particularly those running versions 1.0 through 1.17, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a successful exploit could potentially impact other users on the same server.
• java / server:
find /var/www/yourmaileyes/mooc/controller/ -name MainController.java -print• java / server:
grep -r 'subreview' /var/www/yourmaileyes/mooc/controller/• generic web:
Check for unusual JavaScript code being injected into pages via URL parameters. Use browser developer tools to inspect network requests and responses for suspicious scripts.
• generic web:
Review access logs for requests containing unusual characters or patterns in the review parameter.
disclosure
poc
patch
エクスプロイト状況
EPSS
0.04% (13% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-15134 is to upgrade your installation of yourmaileyes MOOC to version 1.17.1 or later. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the review parameter within the MainController.java file. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Monitor your application logs for suspicious activity, particularly requests containing unusual characters or patterns in the review parameter.
Actualizar la aplicación yourmaileyes MOOC a una versión posterior a la 1.17 que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en el componente Submission Handler. Validar y sanitizar las entradas del usuario, especialmente el parámetro 'review', para prevenir la inyección de código malicioso. Implementar medidas de seguridad adicionales como la codificación de salida para mitigar el riesgo de XSS.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-15134 is a cross-site scripting (XSS) vulnerability affecting yourmaileyes MOOC versions 1.0 to 1.17, allowing attackers to inject malicious scripts.
You are affected if you are using yourmaileyes MOOC versions 1.0 through 1.17. Upgrade to version 1.17.1 or later to mitigate the risk.
Upgrade your yourmaileyes MOOC installation to version 1.17.1 or later. Consider input validation and output encoding as a temporary workaround.
A public proof-of-concept exists, indicating a potential for active exploitation. Prioritize patching to reduce your risk.
Refer to the yourmaileyes project's official website or security advisories for the latest information and updates regarding CVE-2025-15134.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。