Skip to main content

JPACookieShop CVE-2025-8221

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-07-27 cna@vuldb.com
XSS Jpacookieshop
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:49 vuln.today

DescriptionCVE.org

A vulnerability classified as problematic was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this vulnerability is the function goodsSearch of the file GoodsCustController.java. The manipulation of the argument keyword leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

AnalysisAI

Reflected cross-site scripting (XSS) in JPACookieShop's GoodsCustController.goodsSearch function allows remote unauthenticated attackers to inject malicious scripts via the keyword parameter, affecting user sessions with minimal complexity. The vulnerability carries a CVSS 2.1 score but requires user interaction (clicking a malicious link), and public exploit code is available. With an EPSS of 0.06% and no confirmed active exploitation in the wild, the real-world risk is low despite the disclosed POC.

Technical ContextAI

The vulnerability exists in the GoodsCustController.java file, specifically in the goodsSearch function that processes user-supplied input. The keyword parameter is processed without proper input validation or output encoding, allowing attackers to inject arbitrary HTML and JavaScript code that executes in the victim's browser context. This is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental web application security flaw where untrusted user input is reflected directly into the HTTP response without sanitization. The affected CPE cpe:2.3:a:jerryshensjf:jpacookieshop indicates the JPA-based e-commerce platform uses a rolling release model without versioning, making traditional patch tracking difficult.

RemediationAI

Implement immediate input validation and output encoding in the goodsSearch function: sanitize the keyword parameter using established XSS prevention libraries (e.g., OWASP Java Encoder or Spring Security's HtmlUtils) before rendering to HTML, or use parameterized templates that automatically escape output. For organizations unable to patch immediately due to the rolling release model, apply compensating controls including Content Security Policy (CSP) headers with script-src restrictions to prevent inline script execution, and enable httpOnly and Secure flags on session cookies to limit XSS impact. Additionally, implement input validation regex to reject or filter special characters from the keyword parameter, though sanitization of output remains the primary defense. Monitor the project repository at https://github.com/jerryshensjf/JPACookieShop for security commits and apply updates from rolling releases promptly.

Share

CVE-2025-8221 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy