CVE-2025-12289

A reflected cross-site scripting (XSS) vulnerability exists in the Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0. The flaw is located in the /Point/index/activity_state/1/category_id/1001 endpoint, where the category_id GET parameter is insufficiently sanitized before being reflected in the server's response. This allows an attacker to inject arbitrary JavaScript payloads that execute in the victim's browser context [1].

The attack can be performed remotely without any authentication or prior user interaction. An attacker crafts a malicious URL containing a JavaScript payload in the category_id parameter and lures a victim into clicking it. When the victim's browser loads the URL, the injected script is reflected and executed, enabling the attacker to perform actions within the context of the victim's session [1].

Successful exploitation can lead to serious consequences, including the theft of sensitive session data, unauthorized actions on behalf of authenticated users, and the ability to conduct phishing attacks against users of the mall system. The vulnerability has a CVSS v3 base score of 4.3 (Medium) and an exploit has been publicly published [1].

The vendor was contacted but did not respond, and no official patch or workaround has been released as of the publication date. Users are advised to implement input validation and output encoding for the category_id parameter, or deploy web application firewall (WAF) rules to mitigate the risk until a fix becomes available.