CVE-2025-14801
Cross-Site Scripting in xiweicheng TMS createComment Function
Publication date: 2025-12-17
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiweicheng | teamwork_management_system | to 2.28.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) flaw in xiweicheng TMS version 2.28.0, specifically in the createComment function of the /admin/blog/comment/create endpoint. It occurs because user input in the 'content' argument is not properly encoded or neutralized before being processed, allowing attackers to inject and execute malicious scripts within the web application context. This can be exploited remotely and requires some user interaction and authentication levels. [1, 2]
How can this vulnerability impact me? :
The vulnerability allows remote attackers to inject malicious scripts that can execute in the context of the web application, potentially compromising data integrity. Although exploitation requires some user interaction and authentication, it can lead to unauthorized script execution, which might be used for phishing, session hijacking, or other malicious activities. The vendor has not provided any mitigation, so users are advised to consider alternative products. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/blog/comment/create endpoint for improper sanitization of the 'content' parameter. You can attempt to inject typical XSS payloads such as <script>alert(1)</script> into the 'content' argument and observe if the script executes or is reflected unsanitized. Using tools like curl or Burp Suite to send POST requests with malicious payloads to this endpoint can help detect the vulnerability. For example, a curl command to test might be: curl -X POST -d "content=<script>alert(1)</script>" https://your-target-domain/admin/blog/comment/create -H "Cookie: your_auth_cookie" (authentication is required as the vulnerability requires some user interaction and privileges). Monitoring HTTP responses for reflected scripts or unexpected behavior indicates the presence of the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /admin/blog/comment/create endpoint to trusted users only, ensuring that only authenticated and authorized users can access it. Since no known countermeasures or patches are available and the vendor has not responded, users are advised to consider alternative products or implement web application firewalls (WAF) rules to detect and block malicious payloads targeting this endpoint. Additionally, monitoring logs for suspicious activity and disabling or limiting comment creation functionality temporarily can reduce risk. [2]