CVE-2025-14519
BaseFortify
Publication date: 2025-12-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| baowzh | hfly | * |
| baowzh | hfly | 638ff9abe9078bc977c132b37acbe1900b63491c |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw in the baowzh hfly software affecting the advtext module, specifically the /admin/index.php/advtext/add file. It allows an attacker to perform a cross-site scripting (XSS) attack by manipulating input to this component. The attack can be executed remotely, meaning an attacker does not need local access to exploit it. The vulnerability has been publicly disclosed and an exploit is available.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute cross-site scripting attacks remotely. This could lead to the attacker injecting malicious scripts into web pages viewed by other users, potentially stealing session tokens, redirecting users to malicious sites, or performing actions on behalf of users without their consent. However, the CVSS scores indicate a relatively low to moderate severity, with no impact on confidentiality or availability, but some impact on integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/index.php/advtext/add endpoint for stored cross-site scripting (XSS) by injecting typical XSS payloads into the advtext add functionality and observing if the payload is executed when the stored content is viewed. Since a proof-of-concept exploit is publicly available on GitHub, you can use it to verify the presence of the vulnerability. Specific commands are not provided in the resources, but typical detection involves sending HTTP POST requests with XSS payloads to the vulnerable endpoint and checking the response or subsequent page rendering for script execution. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the vulnerable advtext add functionality or replacing the affected component or product, as no patches or countermeasures are currently known. Additionally, applying input validation and output encoding to neutralize user-controllable input before inclusion in web pages is recommended. Since the vendor has not responded and no fixes are available, restricting access to the vulnerable endpoint and monitoring for exploitation attempts are advisable interim measures. [3]