CVE-2025-5879

Vulnerability

Analysis

WukongCRM 9.0 is affected by a stored cross-site scripting (XSS) vulnerability arising from insufficient file upload validation in the AdminSysConfigController.java file. The application fails to properly verify file content types and extensions, allowing an attacker to upload files such as .svg or .html that contain arbitrary JavaScript. This root cause is classified as an arbitrary file upload leading to stored XSS [1].

Exploitation

Scenario

An unauthenticated (or low-privileged) remote attacker can craft a malicious file—for example, an HTML file containing `—and submit it via a POST request to the /sysConfig/setSysConfig endpoint with an appropriate Admin-Token`. If the uploaded file is later rendered by the application or accessed by other users, the embedded script executes in their browsers. The official description confirms that the attack can be initiated remotely, and a proof of concept has been publicly disclosed [1].

Impact

Successful exploitation enables persistent execution of attacker-controlled JavaScript in the context of the victim's session. This can lead to session hijacking through cookie theft, injection of phishing overlays, website defacement, or redirection to malicious domains. The CVSS v3 base score of 3.5 reflects a low severity, though the availability of a public exploit increases practical risk [1].

Mitigation

The vendor has not responded to early disclosure, and no patched version or official workaround has been published. Until a fix is applied, administrators should restrict access to the upload endpoint, implement strict content-type and extension validation on the server side, and consider using a Web Application Firewall (WAF) to block malicious file types [1].