CVE-2025-6551
BaseFortify
Publication date: 2025-06-24
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| java-aodeng | hope-boot | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross Site Scripting (XSS) issue in the java-aodeng Hope-Boot 1.0.0 application, specifically in the login function of the WebController.java file. It occurs because user input passed via the errorMsg argument is not properly sanitized or escaped before being included in the web page output. This allows attackers to inject malicious JavaScript code that executes in the victim's browser, potentially leading to session hijacking, defacement, or other malicious actions. [1, 2]
How can this vulnerability impact me? :
The vulnerability can be exploited remotely and requires some user interaction. An attacker can inject malicious scripts into the web page, which execute in the context of other users' browsers. This can lead to session hijacking, unauthorized actions performed on behalf of the user, defacement of the website, or other malicious activities that compromise the integrity and security of the application and its users. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /login endpoint of the hope-boot 1.0.0 application for reflected cross-site scripting (XSS) via the errorMsg parameter. You can use tools like curl or a web proxy to send crafted requests with JavaScript payloads in the errorMsg parameter and observe if the payload is reflected and executed in the response. For example, a curl command to test might be: curl -v 'http://target/login?errorMsg=<script>alert(1)</script>' and then check if the script tag is reflected in the response HTML. Additionally, using web vulnerability scanners that detect reflected XSS can help identify this issue. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the vulnerable /login endpoint if possible, and avoiding use of the affected java-aodeng Hope-Boot 1.0.0 version. Since no patches or vendor mitigations are available, consider replacing the affected component with an alternative product. Additionally, implementing web application firewall (WAF) rules to detect and block XSS payloads targeting the errorMsg parameter can help reduce risk until a fix is available. [2]