warehouse
修复版本
2.0.1
2.1.1
2.2.1
2.3.1
2.4.1
2.5.1
2.6.1
2.7.1
2.8.1
2.9.1
2.10.1
2.11.1
2.12.1
2.13.1
2.14.1
2.15.1
2.16.1
2.17.1
2.18.1
2.19.1
2.20.1
2.21.1
2.22.1
2.23.1
2.24.1
2.25.1
2.26.1
2.27.1
2.28.1
A cross-site scripting (XSS) vulnerability has been identified in xiweicheng TMS versions 2.0 to 2.28.0. This flaw allows attackers to inject malicious scripts through manipulation of the 'content' argument within the /admin/blog/comment/create endpoint. Successful exploitation could lead to session hijacking or defacement of the administrative interface. A fix is available in version 2.28.1.
The XSS vulnerability in xiweicheng TMS allows an attacker to inject arbitrary JavaScript code into the application. This code will execute in the context of the user's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or modify the content of the application. Given the administrative interface is targeted, a successful attack could grant the attacker control over the entire TMS system, potentially leading to data breaches, system compromise, and reputational damage. The public disclosure of this vulnerability increases the likelihood of exploitation.
This vulnerability was publicly disclosed on 2025-12-17. The vendor, xiweicheng, was contacted but did not respond. The availability of a public proof-of-concept significantly increases the risk of exploitation. While the CVSS score is LOW, the potential impact on administrative access warrants prompt remediation. No KEV listing or confirmed exploitation campaigns are currently known.
Organizations using xiweicheng TMS versions 2.0 through 2.28.0, particularly those with publicly accessible administrative interfaces, are at risk. Shared hosting environments where multiple users share the same TMS instance are also at increased risk, as a compromised user account could be used to exploit the vulnerability.
• generic web: Use curl to test the /admin/blog/comment/create endpoint with a simple XSS payload (e.g., <script>alert(1)</script>).
curl -X POST -d 'content=<script>alert(1)</script>' http://your-tms-server/admin/blog/comment/create• generic web: Examine access logs for requests to /admin/blog/comment/create containing suspicious characters or XSS payloads.
• generic web: Review response headers for unexpected content or JavaScript code.
disclosure
漏洞利用状态
EPSS
0.04% (13% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-14801 is to upgrade xiweicheng TMS to version 2.28.1 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'content' parameter in the /admin/blog/comment/create endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging XSS techniques.
Actualice xiweicheng TMS a una versión posterior a 2.9 que corrija la vulnerabilidad XSS. Si no hay una versión disponible, considere deshabilitar o eliminar el componente afectado hasta que se publique una solución. Revise y filtre las entradas de los usuarios en la función createComment para evitar la inyección de código malicioso.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-14801 is a cross-site scripting (XSS) vulnerability affecting xiweicheng TMS versions 2.0 through 2.28.0, allowing attackers to inject malicious scripts.
You are affected if you are using xiweicheng TMS versions 2.0 to 2.28.0 and have not yet upgraded to version 2.28.1 or later.
Upgrade xiweicheng TMS to version 2.28.1 or later. As a temporary workaround, implement input validation and sanitization on the 'content' parameter.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed and a proof-of-concept exists, increasing the likelihood of exploitation.
Due to the vendor's lack of response, an official advisory may not be available. Monitor security news sources and vulnerability databases for updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。