CVE-2025-14801

Summary

A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
xiweichengTMS2.0affected
xiweichengTMS2.1affected
xiweichengTMS2.2affected
xiweichengTMS2.3affected
xiweichengTMS2.4affected
xiweichengTMS2.5affected
xiweichengTMS2.6affected
xiweichengTMS2.7affected
xiweichengTMS2.8affected
xiweichengTMS2.9affected
xiweichengTMS2.10affected
xiweichengTMS2.11affected
xiweichengTMS2.12affected
xiweichengTMS2.13affected
xiweichengTMS2.14affected
xiweichengTMS2.15affected
xiweichengTMS2.16affected
xiweichengTMS2.17affected
xiweichengTMS2.18affected
xiweichengTMS2.19affected
xiweichengTMS2.20affected
xiweichengTMS2.21affected
xiweichengTMS2.22affected
xiweichengTMS2.23affected
xiweichengTMS2.24affected
xiweichengTMS2.25affected
xiweichengTMS2.26affected
xiweichengTMS2.27affected
xiweichengTMS2.28.0affected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References