yangshare warehouseManager CVE-2025-14538
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in yangshare warehouseManager 仓库管理系统 1.1.0. This affects the function addCustomer of the file CustomerManageHandler.java. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in yangshare warehouseManager 仓库管理系统 1.1.0 allows authenticated remote attackers to inject malicious scripts via the Name parameter in the addCustomer function of CustomerManageHandler.java. User interaction is required for exploitation. Public exploit code is available, and the vulnerability has been disclosed publicly.
Technical ContextAI
The vulnerability exists in the customer management module of yangshare warehouseManager, specifically in the addCustomer function within CustomerManageHandler.java. The Name parameter is processed without proper input sanitization or output encoding, allowing injection of arbitrary HTML and JavaScript. This is a classic reflected XSS vulnerability (CWE-79) where unsanitized user input is reflected in subsequent HTTP responses. The attack vector is network-based, requiring only low authentication privileges (PR:L per CVSS vector), and depends on user interaction (UI:P) to execute injected scripts in a victim's browser.
Affected ProductsAI
yangshare warehouseManager 仓库管理系统 version 1.1.0 is confirmed affected. The vulnerability exists in the addCustomer function of CustomerManageHandler.java. No other versions are explicitly listed as affected in available sources, though the repository issue tracker and vulnerability databases (VulDB) contain the primary disclosure references.
RemediationAI
The primary remediation is to upgrade yangshare warehouseManager to a patched version beyond 1.1.0. Consult the Gitee repository (https://gitee.com/yangshare/warehouseManager) for available updates and security fixes. If immediate patching is not possible, implement input validation and output encoding on the Name parameter in the addCustomer function to sanitize user input before database storage and encode all output when reflecting user data in HTML responses. Restrict access to the customer management module to trusted users only, and ensure the application runs with minimal required privileges. Deploy a Web Application Firewall (WAF) configured to detect and block common XSS payloads in the Name parameter as a compensating control, though this should not replace patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today