CVE-2025-2617

Vulnerability

Analysis

A stored cross-site scripting (XSS) vulnerability has been identified in yangyouwang crud 简约后台管理系统 version 1.0.0. The flaw resides in the Department page, where user-supplied input is insufficiently sanitized, allowing an attacker to inject arbitrary JavaScript or HTML code [1]. This issue is categorized as problematic with a CVSS v3 base score of 2.4, indicating low severity [1].

The attack can be launched remotely, meaning an unauthenticated or low-privileged attacker could craft a malicious request to the Department page. According to the advisory, the exploit has been publicly disclosed, increasing the risk of widespread exploitation [1]. No authentication is explicitly required, though the specific endpoint details are not fully described beyond the component name. The vulnerability is classified as problematic, suggesting that exploitation may require user interaction or other conditions to succeed.

Successful exploitation could allow an attacker to execute arbitrary script code in the context of the victim's browser. This could lead to session hijacking, redirection to malicious sites, or theft of sensitive data displayed on the page. As the exploit is public, the potential for targeted attacks against installations of this system is elevated. The vendor has not released a patch as of the publication date, and the repository appears to be in active development [1]. Users are advised to implement input validation and output encoding for the Department page until a fix is available.