CVE-2025-12290

Vulnerability

Analysis

A reflected cross-site scripting (XSS) vulnerability has been identified in Sui Shang Information Technology's Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0. The issue affects the /i/359 endpoint, where the keywords GET parameter is reflected in the server's response without proper sanitization. This allows an attacker to inject arbitrary JavaScript payloads, leading to script execution in the victim's browser [1].

The attack can be carried out remotely and does not require authentication or prior authorization [1]. Exploitation is straightforward: appending a crafted payload such as '"()%26%25&met=lists to the URL triggers the XSS when the page is accessed by a victim [1]. The vulnerability has been publicly disclosed with proof-of-concept details [1].

Impact

Successful exploitation enables an attacker to perform actions on behalf of an authenticated user, steal session cookies, or conduct phishing attacks against users of the mall system [1]. Since the system is a multi-user e-commerce platform, this could lead to account takeover, data theft, or financial fraud.

Mitigation

Status

The vendor was contacted early about this disclosure but did not respond, and no patch or advisory has been released [1]. Users of the Suishang Enterprise-Level B2B2C Multi-User Mall System should apply input validation and output encoding to all user-controlled parameters in the /i/359 endpoint, or restrict access to the vulnerable page until a fix is available [1].