CVE-2025-15372
Unknown Unknown - Not Provided
Remote XSS in youlaitech vue3-element-admin Notice Handler

Publication date: 2025-12-31

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15372
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
youlaitech vue3-element-admin *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15372 is a cross-site scripting (XSS) vulnerability in the youlaitech vue3-element-admin application up to version 3.4.0. It exists in the Notice Handler component, specifically in the file src/views/system/notice/index.vue. The vulnerability allows an attacker to inject malicious JavaScript code that is improperly neutralized before being rendered on a web page. This can be exploited remotely by an attacker with enhanced authentication and requires user interaction. The injected script can execute in the browsers of other users when they view the compromised notice, potentially leading to unauthorized actions or data theft. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your web application. This can lead to unauthorized actions, data theft, or manipulation of the application’s behavior. Since the vulnerability is a stored XSS, malicious code injected by an authenticated user with privileges can affect other users who view the compromised notice, potentially compromising the integrity of user interactions and data within the application. [1, 2]

Detection Guidance

This vulnerability can be detected by reviewing the notice management system for stored cross-site scripting (XSS) payloads, especially in the 'Notice Handler' component within the file src/views/system/notice/index.vue. Since the exploit requires authenticated users with privileges to create or edit notices, monitoring for suspicious or unexpected JavaScript code in notices is advised. There is a public proof-of-concept exploit available on GitHub which can be used to test if the system is vulnerable. Specific commands are not provided in the resources, but manual inspection of notice content and testing with the public exploit are recommended. [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability for users to create or edit notices until a patch or fix is available, as the vulnerability requires authenticated user interaction. Since no vendor patch or official mitigation is available, replacing the affected component or application with an alternative product is suggested. Additionally, monitoring for suspicious activity and applying web application firewall (WAF) rules to detect and block XSS payloads targeting the notice management system may help reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15372. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart