免费扫描
LOWCVE-2025-14722CVSS 2.4

vion707 DMadmin Backend AddonsController.class.php add cross site scripting

翻译中…

平台

php

组件

zzz

修复版本

3403.0.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2025-14722 describes a cross-site scripting (XSS) vulnerability discovered in vion707 DMadmin, affecting versions up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. Successful exploitation allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. A fix is available in version 3403.0.1.

影响与攻击场景翻译中…

This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the DMadmin interface. An attacker could leverage this to steal user credentials, redirect users to malicious websites, or deface the application. The impact is amplified if DMadmin is used to manage sensitive data or control critical infrastructure, as an attacker could potentially gain unauthorized access and control. The publicly disclosed nature of the exploit increases the likelihood of exploitation, especially given the vendor's lack of response to the disclosure.

利用背景翻译中…

This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW (2.4), the public availability of the exploit makes it a significant concern. The vendor's lack of response to the disclosure further exacerbates the risk, suggesting that a patch may not be prioritized. There is no indication of this being added to the CISA KEV catalog or active exploitation campaigns at this time.

哪些人处于风险中翻译中…

Organizations using vion707 DMadmin for managing their infrastructure or applications are at risk. This includes those relying on DMadmin for configuration management, monitoring, or other critical tasks. Shared hosting environments where multiple users share the same DMadmin instance are particularly vulnerable, as a compromise of one user could potentially affect others.

检测步骤翻译中…

• php: Examine the Admin/Controller/AddonsController.class.php file for any unusual or unexpected code.

grep -r 'eval(' /path/to/DMadmin/Admin/Controller/

• generic web: Monitor access logs for suspicious requests targeting the Add function with unusual parameters.

grep 'Admin/Controller/AddonsController.class.php' /var/log/apache2/access.log

• generic web: Check response headers for signs of script injection.

curl -I <DMadmin_URL>/Admin/Controller/AddonsController.class.php | grep Content-Type

攻击时间线

  1. Disclosure

    Public Disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.04% (11% 百分位)

CISA SSVC

利用情况poc
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R2.4LOWAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredHigh攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
高 — 需要管理员或特权账户。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件zzz
供应商vion707
影响范围修复版本
3403cafdb42537a648c30bf8cbc8148ec60437d1 – 3403cafdb42537a648c30bf8cbc8148ec60437d13403.0.1

弱点分类 (CWE)

CWE-79CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation is to upgrade to version 3403.0.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds such as input validation and output encoding on the Add function within Admin/Controller/AddonsController.class.php. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Add function and verifying that it is properly sanitized.

修复方法翻译中…

Actualice DMadmin a una versión posterior a 3403cafdb42537a648c30bf8cbc8148ec60437d1. Si no hay actualizaciones disponibles, revise y sanitize las entradas del usuario en el archivo Admin/Controller/AddonsController.class.php, función Add, para evitar la inyección de código malicioso.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-14722 — XSS in vion707 DMadmin?

CVE-2025-14722 is a cross-site scripting (XSS) vulnerability in vion707 DMadmin versions up to 3403cafdb42537a648c30bf8cbc8148ec60437d1, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-14722 in vion707 DMadmin?

You are affected if you are using vion707 DMadmin versions prior to 3403.0.1. Check your version and upgrade if necessary.

How do I fix CVE-2025-14722 in vion707 DMadmin?

Upgrade to version 3403.0.1 or later. As a temporary workaround, implement input validation and output encoding.

Is CVE-2025-14722 being actively exploited?

While there's no confirmed active exploitation, the vulnerability is publicly disclosed, increasing the risk of exploitation.

Where can I find the official vion707 advisory for CVE-2025-14722?

Due to the vendor's lack of response, an official advisory may not be available. Monitor security news sources for updates.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE