CVE-2025-11278
BaseFortify
Publication date: 2025-10-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| allstarlink | allmon2 | * |
| allstarlink | supermon | 6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11278 is a reflected Cross-Site Scripting (XSS) vulnerability in the AllStarLink Supermon application up to version 6.2, specifically in the AllMon2 component. The vulnerability occurs because the application reflects arbitrary URL parameters directly in the response without proper input validation or sanitization. An attacker can inject malicious scripts into a URL parameter, which then execute in the victim's browser when they visit the crafted URL. This can lead to execution of arbitrary JavaScript code in the context of the user's browser session. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute malicious scripts in the context of a user's browser without requiring authentication, potentially compromising user sessions or performing other malicious actions. Exploitation requires user interaction, such as clicking a crafted link. Since the affected product is no longer supported and no mitigations are available, users remain exposed to these attacks if they continue using the vulnerable software. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for reflected Cross-Site Scripting (XSS) in the AllMon2 component of AllStarLink Supermon up to version 6.2. One method is to inject a crafted payload into URL parameters and observe if the payload is reflected and executed in the browser. For example, injecting the payload `'><svg/onload=confirm('c4ng4c3ir0')>` into a URL parameter and checking if a confirmation dialog appears indicates the presence of the vulnerability. Detection can be performed using web application testing tools or manually by crafting URLs with such payloads and monitoring the response in a browser. Specific commands depend on the tools used, but a simple curl command to test reflection might be: `curl -i 'http://target/allmon2?param=%27%3E%3Csvg/onload=confirm(%27c4ng4c3ir0%27)%3E'` followed by manual inspection of the response or browser testing. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include discontinuing use of the vulnerable AllStarLink Supermon versions up to 6.2, as the product is no longer supported and no known countermeasures or patches are available. Replacing the affected product with an alternative solution is recommended. Additionally, applying web application firewalls (WAF) rules to block suspicious input patterns and educating users to avoid interacting with untrusted links can help reduce risk. Since the vulnerability requires user interaction, limiting exposure to untrusted URLs is important. [2]