CVE-2025-15149
Unknown Unknown - Not Provided
Cross-Site Scripting in rawchen ecms Add New Product Page

Publication date: 2025-12-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument productName leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15149
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rawchen ecms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the updateProductServlet function of the Add New Product Page component in rawchen ecms. It involves the manipulation of the productName argument, which leads to a cross-site scripting (XSS) vulnerability. This means an attacker can inject malicious scripts remotely, potentially affecting users who interact with this component.

Impact Analysis

The vulnerability allows remote attackers to perform cross-site scripting attacks by manipulating the productName argument. This can lead to the execution of malicious scripts in the context of users' browsers, potentially resulting in unauthorized actions, data theft, or session hijacking. However, the CVSS scores indicate a low to moderate impact, with no confidentiality or availability impact but some integrity impact.

Detection Guidance

This vulnerability can be detected by testing the 'productName' parameter in the 'updateProductServlet' interface for improper input sanitization leading to stored cross-site scripting (XSS). You can attempt to inject typical XSS payloads (e.g., <script>alert(1)</script>) into the 'productName' field and observe if the script executes when the stored data is accessed. Since the vulnerability requires authentication, detection should be performed with valid credentials. Network detection might involve monitoring HTTP requests to the updateProductServlet endpoint for suspicious payloads in the 'productName' parameter. Specific commands are not provided in the resources. [1, 2]

Mitigation Strategies

Immediate mitigation steps include avoiding use of the affected product or replacing it, as no official patches or countermeasures have been released. Additionally, restrict access to the vulnerable 'updateProductServlet' interface to trusted users only, enforce strict input validation and sanitization on the 'productName' parameter if possible, and monitor for suspicious activity. Since the vendor has not provided a fix, consider implementing web application firewalls (WAF) rules to detect and block XSS payloads targeting this parameter. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart