Suishang Enterprise B2B2C Mall CVE-2025-12289
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this vulnerability is an unknown functionality of the file /Point/index/activity_state/1/category_id/1001. Executing manipulation of the argument category_id can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0 allows remote attackers to inject malicious scripts via the category_id parameter in the /Point/index/activity_state endpoint. The vulnerability requires user interaction (UI:P) to trigger and has low integrity impact, but publicly available exploit code exists. The vendor did not respond to disclosure notifications.
Technical ContextAI
The vulnerability is a classic reflected cross-site scripting (CWE-79) flaw in the web application's URL parameter handling. The affected endpoint /Point/index/activity_state accepts a category_id parameter without proper sanitization or encoding before rendering it in the HTTP response. The attacker-controlled parameter is reflected directly into the page content, allowing injection of JavaScript payloads. This type of flaw typically occurs when user input is embedded in HTML or JavaScript contexts without context-appropriate encoding (HTML entity encoding, JavaScript string escaping, or URL encoding depending on where the parameter is rendered).
Affected ProductsAI
Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0 is affected. The specific vulnerable endpoint is /Point/index/activity_state with the category_id parameter. No CPE identifier was located in the provided data. The vulnerability was reported via vuldb.com and GitHub CVE tracking without vendor-issued advisory links.
RemediationAI
Implement immediate input validation and output encoding for the category_id parameter in the /Point/index/activity_state endpoint. The primary fix is to upgrade to a patched version once the vendor releases one; contact Sui Shang Information Technology directly for patch availability. Until a vendor patch is released, implement context-appropriate HTML entity encoding for all reflected parameters before rendering them in the response-specifically encode category_id output when used in HTML attributes or text content. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to restrict inline script execution and reduce XSS impact. Validate category_id server-side to accept only expected alphanumeric values or numeric IDs, rejecting any input containing HTML or script tags. These controls will prevent reflected XSS exploitation while awaiting vendor patches.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today