プラットフォーム
java
コンポーネント
javasec
修正版
3.0.1
CVE-2025-2211 is a cross-site scripting (XSS) vulnerability identified in aitangbao springboot-manager version 3.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability specifically impacts the /sysDictDetail/add endpoint, where manipulation of the 'name' argument can trigger the XSS. A fix is available in version 3.0.1.
Successful exploitation of CVE-2025-2211 allows an attacker to inject arbitrary JavaScript code into the springboot-manager application. This code can then be executed in the context of a victim's browser when they access a vulnerable page. The attacker could steal session cookies, redirect users to malicious websites, or deface the application. The vulnerability's remote accessibility significantly broadens the potential attack surface, as it doesn't require local access to the system. The lack of vendor response raises concerns about the overall security posture of the application and potential unaddressed vulnerabilities.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant immediate attention. No KEV listing or confirmed exploitation campaigns are currently known. The public disclosure date (2025-03-11) indicates that attackers have had time to analyze and potentially develop exploits.
Organizations using aitangbao springboot-manager version 3.0, particularly those with publicly accessible instances of the application, are at risk. Shared hosting environments where multiple users share the same instance of springboot-manager are also particularly vulnerable, as an attacker could potentially compromise other users' accounts.
• java / server:
find / -name "springboot-manager*" -type d -exec grep -i "sysDictDetail/add" {} \;• generic web:
curl -s -X POST -d "name=<script>alert('XSS')</script>" http://your-springboot-manager-url/sysDictDetail/add | grep "<script>alert('XSS')</script>"disclosure
エクスプロイト状況
EPSS
0.09% (25% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-2211 is to upgrade to springboot-manager version 3.0.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the /sysDictDetail/add endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update input validation routines to prevent similar vulnerabilities from arising in the future. After upgrade, confirm by testing the /sysDictDetail/add endpoint with various input strings to ensure no XSS payloads are executed.
Actualizar a una versión parcheada de springboot-manager que solucione la vulnerabilidad XSS. Si no hay una versión disponible, sanitizar las entradas del usuario en el campo 'name' del endpoint /sysDictDetail/add para evitar la inyección de código malicioso. Revisar también otros parámetros para posibles vulnerabilidades similares.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-2211 is a cross-site scripting (XSS) vulnerability affecting aitangbao springboot-manager version 3.0, allowing attackers to inject malicious scripts via the /sysDictDetail/add endpoint.
You are affected if you are using aitangbao springboot-manager version 3.0 and have not upgraded to version 3.0.1 or later.
Upgrade to springboot-manager version 3.0.1 or later. Implement input validation and sanitization as a temporary workaround if immediate upgrade is not possible.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Due to lack of vendor response, an official advisory may not be available. Monitor security news sources and aitangbao's website for updates.
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。