Platform
java
Component
javasec
Opgelost in
3.0.1
A cross-site scripting (XSS) vulnerability has been identified in aitangbao springboot-manager versions 3.0. This issue arises from improper handling of file names within the /sysFiles/upload component, enabling attackers to inject malicious scripts. Affected versions include 3.0. A fix is available in version 3.0.1.
The vulnerability allows an attacker to inject arbitrary JavaScript code into the application via manipulation of the 'name' parameter when uploading files to the /sysFiles/upload endpoint. Successful exploitation could lead to session hijacking, defacement of the application, or redirection to malicious websites. The attacker could potentially steal sensitive user data or gain unauthorized access to the system. This vulnerability is particularly concerning as it is a cross-site scripting flaw, which is a common attack vector used to compromise web applications.
This vulnerability has been publicly disclosed. The exploit is considered to have a low probability of exploitation (LOW EPSS score) due to the need for user interaction to trigger the XSS payload. No active campaigns or KEV listing are currently associated with this CVE as of the publication date. The vulnerability was disclosed on 2025-03-11.
Organizations using aitangbao springboot-manager version 3.0 are at risk. Specifically, those who rely on the /sysFiles/upload functionality for file uploads and lack robust input validation are particularly vulnerable. Shared hosting environments where multiple users have access to the file upload functionality are also at increased risk.
• java / server:
grep -r 'name=.*;' /path/to/springboot-manager/logs/access.log• generic web:
curl -I http://your-springboot-manager-instance.com/sysFiles/upload?name=<script>alert(1)</script>• generic web:
curl -s http://your-springboot-manager-instance.com/sysFiles/upload?name=<script>alert(1)</script> | grep alertdisclosure
Exploit Status
EPSS
0.09% (25% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to version 3.0.1 of springboot-manager, which addresses the vulnerability. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on the 'name' parameter within the /sysFiles/upload endpoint. A Web Application Firewall (WAF) can be configured to block requests containing suspicious characters or patterns in the filename. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Actualizar a una versión parcheada de springboot-manager que solucione la vulnerabilidad de Cross-Site Scripting (XSS) en la carga de archivos. Si no hay una versión disponible, revisar y sanitizar las entradas del nombre de archivo en el endpoint /sysFiles/upload para evitar la inyección de código malicioso. Implementar validaciones robustas en el servidor para asegurar que los nombres de archivo sean seguros.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-2208 is a cross-site scripting (XSS) vulnerability in aitangbao springboot-manager version 3.0, affecting file uploads and potentially allowing attackers to inject malicious scripts.
If you are using springboot-manager version 3.0 and haven't upgraded, you are potentially affected. Assess your usage of the /sysFiles/upload endpoint.
Upgrade to version 3.0.1. If immediate upgrade isn't possible, implement input validation and consider a WAF.
Currently, there's no confirmed active exploitation, but the vulnerability is publicly disclosed and could be exploited.
Refer to the aitangbao project's official channels and security advisories for the most up-to-date information regarding CVE-2025-2208.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.