How the CVE Works:
CVE-2025-2194 is a stored Cross-Site Scripting (XSS) vulnerability in MRCMS 3.1.2, specifically in the `/admin/file/list.do` endpoint of the `org.marker.mushroom.controller.FileController` component. The flaw arises due to improper sanitization of the `path` parameter, allowing attackers to inject malicious JavaScript payloads. When an admin views the file list, the payload executes in their browser, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability is remotely exploitable with low privileges (PR:L) and requires user interaction (UI:P).
DailyCVE Form:
Platform: MRCMS
Version: 3.1.2
Vulnerability: Stored XSS
Severity: Medium
Date: 04/09/2025
What Undercode Say:
Exploitation:
- Craft a malicious `path` parameter with a JavaScript payload:
GET /admin/file/list.do?path=<script>alert(document.cookie)</script> HTTP/1.1
- Use social engineering to trick an admin into accessing the file list.
Protection:
- Sanitize user input via regex or libraries like OWASP Java Encoder:
String safePath = ESAPI.encoder().encodeForHTML(request.getParameter("path"));
2. Implement Content Security Policy (CSP) headers:
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
Detection:
- Scan with Burp Suite or ZAP for XSS vectors.
2. Check logs for unusual `path` values:
grep -r "path=<script>" /var/log/mrcms/
Mitigation:
1. Patch or upgrade MRCMS.
2. Disable unused endpoints in `web.xml`:
<security-constraint><web-resource-collection><url-pattern>/admin/file/list.do</url-pattern></web-resource-collection>
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2194
Extra Source Hub:
Undercode
