CVE-2025-15452
Cross-Site Scripting in xnx3 wangmarket Backend Variable Search
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xnx3 | wangmarket | to 4.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15452 is a reflective cross-site scripting (XSS) vulnerability in xnx3 wangmarket up to version 4.9. It affects the Backend Variable Search component, specifically the function variableList in the file /admin/system/variableList.do. The vulnerability occurs because the application does not properly sanitize or neutralize user input in the 'Description' argument. An attacker can craft a malicious URL containing a JavaScript payload that, when clicked by a victim, is reflected in the server's HTTP response and executed in the victim's browser, enabling XSS attacks. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute malicious scripts in the browsers of users who interact with crafted URLs. This can lead to unauthorized actions performed on behalf of the user, manipulation of data integrity, and potential compromise of user sessions or sensitive information. Exploitation requires some user interaction and an enhanced level of authentication. Although the CVSS score is low, the availability of a public exploit increases the risk of attacks. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the /admin/system/variableList.do endpoint, specifically looking for manipulation of the 'Description' parameter with suspicious or script-like content indicative of cross-site scripting attempts. Since the vulnerability involves reflected XSS via the Description argument, you can use web application security scanners or manual inspection tools to send crafted requests and observe if the input is reflected unsanitized in the response. No specific commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /admin/system/variableList.do endpoint to trusted and authenticated users only, as exploitation requires elevated privileges and user interaction. Since no vendor patches or countermeasures are available, consider replacing the vulnerable product with an alternative. Additionally, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the Description parameter to reduce risk. [3]