CVE-2025-15372
Remote XSS in youlaitech vue3-element-admin Notice Handler
Publication date: 2025-12-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| youlaitech | vue3-element-admin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15372 is a cross-site scripting (XSS) vulnerability in the youlaitech vue3-element-admin application up to version 3.4.0. It exists in the Notice Handler component, specifically in the file src/views/system/notice/index.vue. The vulnerability allows an attacker to inject malicious JavaScript code that is improperly neutralized before being rendered on a web page. This can be exploited remotely by an attacker with enhanced authentication and requires user interaction. The injected script can execute in the browsers of other users when they view the compromised notice, potentially leading to unauthorized actions or data theft. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your web application. This can lead to unauthorized actions, data theft, or manipulation of the applicationβs behavior. Since the vulnerability is a stored XSS, malicious code injected by an authenticated user with privileges can affect other users who view the compromised notice, potentially compromising the integrity of user interactions and data within the application. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the notice management system for stored cross-site scripting (XSS) payloads, especially in the 'Notice Handler' component within the file src/views/system/notice/index.vue. Since the exploit requires authenticated users with privileges to create or edit notices, monitoring for suspicious or unexpected JavaScript code in notices is advised. There is a public proof-of-concept exploit available on GitHub which can be used to test if the system is vulnerable. Specific commands are not provided in the resources, but manual inspection of notice content and testing with the public exploit are recommended. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ability for users to create or edit notices until a patch or fix is available, as the vulnerability requires authenticated user interaction. Since no vendor patch or official mitigation is available, replacing the affected component or application with an alternative product is suggested. Additionally, monitoring for suspicious activity and applying web application firewall (WAF) rules to detect and block XSS payloads targeting the notice management system may help reduce risk. [1, 2]