Skip to main content

Suishang Enterprise-Level B2B2C Multi-User Mall System CVE-2025-12290

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-10-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:32 vuln.today

DescriptionCVE.org

A vulnerability has been found in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0. Affected by this issue is some unknown functionality of the file /i/359. The manipulation of the argument keywords leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0 allows remote attackers to inject malicious scripts via the keywords parameter in the /i/359 endpoint. The vulnerability requires user interaction (clicking a malicious link) and results in limited integrity impact. Although exploit code has been publicly disclosed and the vendor did not respond to early disclosure, the EPSS score of 0.03% and low CVSS impact (2.1) suggest minimal real-world exploitation probability.

Technical ContextAI

The vulnerability is a stored or reflected XSS flaw (CWE-79) in a PHP/web-based B2B2C e-commerce platform. The /i/359 endpoint fails to properly sanitize or encode user-supplied input in the keywords parameter before reflecting it in HTTP responses or storing it in the database. Modern browsers' same-origin policy and Content Security Policy mitigations limit the scope, but attackers can still exfiltrate session cookies, perform phishing, or redirect users to malicious sites if the application does not implement output encoding or CSP headers. The affected product is a closed-source e-commerce mall system version 1.0; no CPE entry exists in public databases, limiting automated vulnerability scanning.

Affected ProductsAI

Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0 is confirmed affected. No other versions, patch levels, or product variants are documented in available sources. No CPE string has been assigned by NVD or MITRE. The product is developed by Sui Shang Information Technology, a Chinese software vendor with limited English-language documentation; vulnerability scanning tools are unlikely to detect this product without manual configuration.

RemediationAI

No vendor-released patch has been identified at time of analysis. The vendor did not respond to early disclosure and shows no signs of developing a fix. Immediate mitigation requires implementing input validation and output encoding: sanitize the keywords parameter by rejecting or escaping all HTML metacharacters (< > " ' &) before storing or reflecting it, and apply HTML entity encoding when rendering user input in web pages. Alternatively, implement a Content Security Policy (CSP) header with script-src 'self' to block inline script injection, though this does not prevent DOM-based XSS or cookie exfiltration via external services. Organizations using this product should consider: (1) restricting access to /i/359 and similar admin/user-input endpoints via IP whitelisting or WAF rules if the feature is non-critical, (2) upgrading to a maintained alternative B2B2C platform with active security updates, or (3) deploying a Web Application Firewall (WAF) with XSS detection rules to block malicious requests. Each mitigation carries trade-offs: WAF rules may generate false positives; feature restriction may degrade user experience; migration requires operational effort.

Share

CVE-2025-12290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy