CVE-2025-8222
BaseFortify
Publication date: 2025-07-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jerryshensjf | jpacookieshop | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8222 is a Stored Cross-Site Scripting (XSS) vulnerability in the JPACookieShop 蛋糕商城JPA版 application, specifically in the GoodsController.java file. The vulnerability occurs because the application does not properly filter or validate user input in the 'Add Product' feature, nor does it encode data before rendering it in the browser. This allows attackers to inject malicious scripts that are stored and later executed in users' browsers when they access affected endpoints. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute malicious scripts in the context of users' browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. Since the attack requires user interaction, it can compromise user trust and data integrity. The exploit is easy to perform and publicly available, increasing the risk of exploitation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected endpoints, such as /goodsController/addGoods, for stored cross-site scripting (XSS) by injecting typical XSS payloads and observing if the input is improperly neutralized and executed in the browser. Since the vulnerability involves lack of input filtering and encoding in the GoodsController.java component, manual or automated web application security scanners targeting XSS can be used. Specific commands would depend on the tools used, for example, using curl to send payloads or using tools like OWASP ZAP or Burp Suite to scan the endpoints. However, no explicit detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper input validation and output encoding to neutralize user-controllable input before rendering it in web pages. Specifically, apply whitelist or blacklist validation on incoming parameters in the backend, and ensure data stored in the database is HTML entity-encoded or properly encoded before display. Since no known mitigations or countermeasures are identified and the vulnerability affects multiple endpoints, replacing the affected component with an alternative product is suggested as a mitigation. Additionally, restricting user privileges and applying web application firewalls (WAF) rules to detect and block XSS payloads can help reduce risk temporarily. [1, 2]