CVE-2025-8221
BaseFortify
Publication date: 2025-07-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jerryshensjf | jpacookieshop | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8221 is a reflected Cross-Site Scripting (XSS) vulnerability in the JPACookieShop 蛋糕商城JPA版 application, specifically in the goodsSearch function of GoodsCustController.java. The vulnerability occurs because the 'keyword' parameter from user input is not properly sanitized or neutralized before being included in the web page output. This allows attackers to inject malicious scripts that execute in the victim's browser context when the crafted input is reflected back, potentially leading to unauthorized script execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute malicious scripts in the context of your users' browsers without requiring authentication. This can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. Since the attack requires user interaction, it can be exploited through social engineering or crafted links. The integrity of the application is impacted as attackers can manipulate the content displayed to users. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /goods_search API endpoint of the JPACookieShop application for reflected Cross-Site Scripting (XSS) by injecting malicious scripts into the 'keyword' parameter and observing if the input is reflected unsanitized in the response. Since the input is not properly sanitized or filtered, sending payloads such as <script>alert(1)</script> in the keyword parameter and checking the response for script execution or reflected payload can confirm the vulnerability. Network detection could involve monitoring HTTP requests to /goods_search for suspicious or script-containing keyword parameters. Specific commands could include using curl or tools like Burp Suite or OWASP ZAP to send crafted requests, for example: curl -G 'http://target/goods_search' --data-urlencode 'keyword=<script>alert(1)</script>' and inspecting the response for reflected scripts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the affected JPACookieShop version if possible, or replacing it with an alternative product as no known mitigations or patches are currently documented. Additionally, applying input validation and output encoding on the 'keyword' parameter in the /goods_search API to neutralize malicious scripts can help. Employing web application firewalls (WAFs) to detect and block XSS payloads targeting this endpoint may reduce risk. Since the vulnerability is due to improper input handling, developers should implement proper sanitization and escaping of user inputs before rendering them in web pages. [2]