Platform
java
Opgelost in
59.0.1
CVE-2025-15149 is a cross-site scripting (XSS) vulnerability affecting rawchen ecms versions up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the updateProductServlet function of the Add New Product Page. A fix is available in version 59.0.1.
An attacker can exploit this XSS vulnerability by manipulating the 'productName' argument in the updateProductServlet function. This allows them to inject arbitrary JavaScript code that will be executed in the context of the user's browser. Successful exploitation could result in the attacker stealing session cookies, redirecting users to malicious websites, or defacing the application. The impact is amplified if the application is used by privileged users, as the attacker could potentially gain access to sensitive data or perform administrative actions. Because the vulnerability is publicly disclosed, the risk of exploitation is elevated.
This vulnerability was publicly disclosed on 2025-12-28. The availability of a public proof-of-concept significantly increases the likelihood of exploitation. The CVSS score of 2.4 (LOW) indicates a relatively low inherent risk, but the public disclosure and ease of exploitation warrant immediate attention. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using rawchen ecms, particularly those with publicly accessible instances or those handling sensitive user data, are at risk. Shared hosting environments where multiple users share the same ecms instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• java / server:
find /var/log/ -name '*.log' -print0 | xargs -0 grep -i 'updateProductServlet'• generic web:
curl -s -X POST 'http://your-ecms-instance/servlet/product/updateProductServlet' -d 'productName=<script>alert("XSS")</script>' | grep -i 'XSS'disclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-15149 is to upgrade to rawchen ecms version 59.0.1 or later. Given the rolling release nature of the product, ensuring all instances are updated is critical. As a temporary workaround, input validation on the 'productName' field can be implemented to sanitize user-supplied data and prevent the injection of malicious scripts. This could involve restricting the allowed characters or escaping special characters. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Monitor application logs for suspicious activity, particularly related to the updateProductServlet endpoint.
Actualizar a una versión parcheada de ecms que solucione la vulnerabilidad XSS. Si no hay una versión disponible, se recomienda sanitizar las entradas del usuario en el parámetro 'productName' para evitar la inyección de código malicioso. Contactar al proveedor para obtener una solución.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-15149 is a cross-site scripting (XSS) vulnerability in rawchen ecms versions up to b59d7feaa9094234e8aa6c8c6b290621ca575ded, allowing attackers to inject malicious scripts.
You are affected if you are using rawchen ecms versions prior to 59.0.1. Check your version and upgrade immediately.
Upgrade to rawchen ecms version 59.0.1 or later. Implement input validation as a temporary workaround.
Due to the public disclosure and availability of a proof-of-concept, active exploitation is likely and should be considered a high risk.
Refer to the rawchen ecms official website or security advisories for the latest information and updates regarding CVE-2025-15149.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.