CVE-2025-14801
Unknown Unknown - Not Provided
Cross-Site Scripting in xiweicheng TMS createComment Function

Publication date: 2025-12-17

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14801
EUVD
EUVD-2025-203862
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xiweicheng teamwork_management_system to 2.28.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) flaw in xiweicheng TMS version 2.28.0, specifically in the createComment function of the /admin/blog/comment/create endpoint. It occurs because user input in the 'content' argument is not properly encoded or neutralized before being processed, allowing attackers to inject and execute malicious scripts within the web application context. This can be exploited remotely and requires some user interaction and authentication levels. [1, 2]

Impact Analysis

The vulnerability allows remote attackers to inject malicious scripts that can execute in the context of the web application, potentially compromising data integrity. Although exploitation requires some user interaction and authentication, it can lead to unauthorized script execution, which might be used for phishing, session hijacking, or other malicious activities. The vendor has not provided any mitigation, so users are advised to consider alternative products. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the /admin/blog/comment/create endpoint for improper sanitization of the 'content' parameter. You can attempt to inject typical XSS payloads such as <script>alert(1)</script> into the 'content' argument and observe if the script executes or is reflected unsanitized. Using tools like curl or Burp Suite to send POST requests with malicious payloads to this endpoint can help detect the vulnerability. For example, a curl command to test might be: curl -X POST -d "content=<script>alert(1)</script>" https://your-target-domain/admin/blog/comment/create -H "Cookie: your_auth_cookie" (authentication is required as the vulnerability requires some user interaction and privileges). Monitoring HTTP responses for reflected scripts or unexpected behavior indicates the presence of the vulnerability. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /admin/blog/comment/create endpoint to trusted users only, ensuring that only authenticated and authorized users can access it. Since no known countermeasures or patches are available and the vendor has not responded, users are advised to consider alternative products or implement web application firewalls (WAF) rules to detect and block malicious payloads targeting this endpoint. Additionally, monitoring logs for suspicious activity and disabling or limiting comment creation functionality temporarily can reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart