CVE-2025-15149

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability has been identified in the rawchen ecms project, affecting versions up to commit b59d7feaa9094234e8aa6c8c6b290621ca575ded. The flaw resides in the updateProductServlet Java class, specifically within the src/servlet/product/updateProductServlet.java file. The application fails to sanitize the productName parameter before storing it in the database, allowing an attacker to inject arbitrary JavaScript code [1].

Exploitation

An attacker can exploit this vulnerability by submitting a crafted product name containing malicious script, such as ``, via the Add New Product Page. The attack is remote and does not require authentication, as the product update interface is accessible without special privileges. The injected script is stored in the database and executed when any user views the affected product listing, making it a stored XSS attack [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The CVSS v3 score is 2.4 (Low), reflecting the need for user interaction and the limited direct impact on confidentiality, integrity, and availability in typical deployments.

Mitigation

As of the disclosure date, the vendor has not responded to reports, and no official patch has been released. The project follows a rolling release model, so users should monitor for updates or manually sanitize the productName input in the updateProductServlet code. No workaround is provided by the vendor [1].