Skip to main content

Suishang Enterprise B2B2C Mall CVE-2025-12289

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-10-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:32 vuln.today

DescriptionCVE.org

A flaw has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this vulnerability is an unknown functionality of the file /Point/index/activity_state/1/category_id/1001. Executing manipulation of the argument category_id can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0 allows remote attackers to inject malicious scripts via the category_id parameter in the /Point/index/activity_state endpoint. The vulnerability requires user interaction (UI:P) to trigger and has low integrity impact, but publicly available exploit code exists. The vendor did not respond to disclosure notifications.

Technical ContextAI

The vulnerability is a classic reflected cross-site scripting (CWE-79) flaw in the web application's URL parameter handling. The affected endpoint /Point/index/activity_state accepts a category_id parameter without proper sanitization or encoding before rendering it in the HTTP response. The attacker-controlled parameter is reflected directly into the page content, allowing injection of JavaScript payloads. This type of flaw typically occurs when user input is embedded in HTML or JavaScript contexts without context-appropriate encoding (HTML entity encoding, JavaScript string escaping, or URL encoding depending on where the parameter is rendered).

Affected ProductsAI

Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0 is affected. The specific vulnerable endpoint is /Point/index/activity_state with the category_id parameter. No CPE identifier was located in the provided data. The vulnerability was reported via vuldb.com and GitHub CVE tracking without vendor-issued advisory links.

RemediationAI

Implement immediate input validation and output encoding for the category_id parameter in the /Point/index/activity_state endpoint. The primary fix is to upgrade to a patched version once the vendor releases one; contact Sui Shang Information Technology directly for patch availability. Until a vendor patch is released, implement context-appropriate HTML entity encoding for all reflected parameters before rendering them in the response-specifically encode category_id output when used in HTML attributes or text content. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to restrict inline script execution and reduce XSS impact. Validate category_id server-side to accept only expected alphanumeric values or numeric IDs, rejecting any input containing HTML or script tags. These controls will prevent reflected XSS exploitation while awaiting vendor patches.

Share

CVE-2025-12289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy