Platform
java
Component
javasec
Opgelost in
3.0.1
CVE-2025-2209 is a problematic cross-site scripting (XSS) vulnerability discovered in aitangbao springboot-manager version 3.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'name' argument within the /sysDict/add function. Affected users should upgrade to version 3.0.1 to mitigate this risk, as the vulnerability has been publicly disclosed.
Successful exploitation of CVE-2025-2209 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the application. The vulnerability's location within the /sysDict/add function suggests that user-supplied data is not properly sanitized before being rendered, making it susceptible to injection. Given the public disclosure, the risk of exploitation is elevated, particularly if the application is exposed to untrusted user input.
CVE-2025-2209 has been publicly disclosed, increasing the likelihood of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept (PoC) code may be available or emerge, further accelerating potential exploitation. The vendor's lack of response to the disclosure is concerning and warrants increased vigilance.
Organizations utilizing aitangbao springboot-manager version 3.0, particularly those with publicly accessible instances of the /sysDict/add endpoint, are at significant risk. Shared hosting environments where multiple users share the same application instance are also vulnerable.
• java / server:
find / -name "springboot-manager*" -type d -exec grep -i "sysDict/add" {} \;• generic web:
curl -s -X POST -d 'name=<script>alert(1)</script>' http://your-springboot-manager-url/sysDict/add | grep '<script>' disclosure
Exploit Status
EPSS
0.09% (25% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-2209 is to upgrade to springboot-manager version 3.0.1, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the /sysDict/add endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Thoroughly review and update any existing security policies to address XSS vulnerabilities.
Actualizar springboot-manager a una versión parcheada que solucione la vulnerabilidad de Cross-Site Scripting (XSS). Si no hay una versión parcheada disponible, sanitizar las entradas del usuario en el parámetro 'name' del endpoint /sysDict/add para prevenir la inyección de código malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-2209 is a cross-site scripting (XSS) vulnerability in aitangbao springboot-manager version 3.0, affecting the /sysDict/add function. Attackers can inject malicious scripts by manipulating the 'name' argument.
Yes, if you are using aitangbao springboot-manager version 3.0 and have not upgraded to 3.0.1, you are vulnerable to this XSS attack.
Upgrade to version 3.0.1. As a temporary workaround, implement input validation and output encoding on the /sysDict/add endpoint.
The vulnerability has been publicly disclosed, increasing the risk of active exploitation. Monitor your systems for suspicious activity.
Due to the vendor's lack of response, a formal advisory may not be available. Monitor security news sources and vulnerability databases for updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.