Plataforma
php
Componente
webray.com.cn
Corrigido em
638.0.1
A cross-site scripting (XSS) vulnerability has been identified in baowzh hfly, specifically within the advtext Module. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data integrity. The vulnerability affects versions up to 638.0.1, and a public proof-of-concept exists, indicating a potential for active exploitation. A fix is available in version 638.0.1.
Successful exploitation of CVE-2025-14519 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, defacement of the website, and theft of sensitive information like cookies and credentials. The vulnerability is triggered by manipulating the /admin/index.php/advtext/add endpoint, suggesting that administrators are particularly at risk. Given the public availability of a proof-of-concept, the potential for widespread exploitation is significant.
CVE-2025-14519 has been publicly disclosed and a proof-of-concept is available, increasing the likelihood of exploitation. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. The vendor did not respond to early disclosure attempts, which may indicate a lack of ongoing support or security focus.
Administrators of baowzh hfly installations are at the highest risk, as the vulnerability is triggered through an administrative interface. Users with access to modify the advtext Module configuration are also potentially vulnerable. Shared hosting environments running baowzh hfly could expose multiple users to this risk.
• php: Examine access logs for requests to /admin/index.php/advtext/add containing unusual characters or patterns in the request parameters. Use grep to search for suspicious input.
grep -i 'script|alert|onerror' /var/log/apache2/access.log• generic web: Use curl to test the /admin/index.php/advtext/add endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>).
curl -X POST -d '<script>alert("XSS")</script>' http://your-baowzh-hfly-instance/admin/index.php/advtext/adddisclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-14519 is to upgrade to version 638.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /admin/index.php/advtext/add endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor access logs for suspicious activity related to the affected endpoint, looking for unusual characters or patterns in the request parameters.
Actualizar el módulo advtext a una versión parcheada que corrija la vulnerabilidad XSS. Si no hay una versión disponible, deshabilitar el módulo o aplicar un parche manualmente para escapar o sanitizar las entradas del usuario en el archivo /admin/index.php/advtext/add.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-14519 is a cross-site scripting (XSS) vulnerability in baowzh hfly, allowing attackers to inject malicious scripts. It affects versions up to 638.0.1 and can be exploited remotely.
If you are running baowzh hfly version 638.0.1 or earlier, you are potentially affected by this vulnerability. Assess your deployment and upgrade as soon as possible.
Upgrade to version 638.0.1 or later to remediate the vulnerability. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your systems for suspicious activity.
Due to the vendor's lack of response, an official advisory may not be available. Monitor security news sources and vulnerability databases for updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.