CVE-2025-14538

Vulnerability

Overview

CVE-2025-14538 describes a stored cross-site scripting (XSS) vulnerability in the addCustomer function of CustomerManageHandler.java within yangshare warehouseManager (仓库管理系统) version 1.1.0. The Name argument is not properly sanitized before being stored, allowing an attacker to inject arbitrary JavaScript or HTML code that will be executed when other users view the affected customer record [1].

Attack

Vector and Prerequisites

The vulnerability can be exploited remotely without authentication, as the addCustomer endpoint is accessible to unauthenticated users. The attacker only needs to supply a crafted Name parameter containing malicious script payloads. The stored payload will then be rendered in the browser of any administrator or user who accesses the customer list or detail page, making this a stored (persistent) XSS attack [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Since the attack is stored, it can affect multiple users over time without requiring further interaction from the attacker [1].

Mitigation

Status

As of the publication date, the vendor has not released a patch. The issue is publicly disclosed on Gitee, and no patch has been released. Users should restrict network access to the application, implement input validation and output encoding for the Name field, or consider upgrading to a patched version if one becomes available [1].