xiweicheng TMS, Cross-Site Scripting (XSS), CVE-2025-14801 (MEDIUM)

Listen to this Post

The vulnerability CVE-2025-14801 is a Cross-Site Scripting (XSS) issue found in the xiweicheng Team Management System (TMS) up to version 2.28.0 . It specifically exists within the `createComment` function, which is accessed via the endpoint `/admin/blog/comment/create` . The core of the problem is that the application fails to properly sanitize or validate the user-supplied input passed to the `content` argument . Because this input is not neutralized before being stored and later displayed to other users, an attacker can inject malicious JavaScript code into this field . When an administrator or another user views the page containing this comment, the injected script executes within the context of their browser session . This qualifies as a stored XSS vulnerability. The attack can be performed remotely, and a proof-of-concept exploit has been publicly released by a researcher known as “red0_ha1yu” . The vendor was contacted about this disclosure but did not respond, leaving users of the affected versions without an official patch . According to the CVSS v4.0 metrics provided by VulDB, the vulnerability has a base score of 4.8 (Medium), with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P .

dailycve form:

Platform: xiweicheng TMS
Version: up to 2.28.0
Vulnerability: Cross Site Scripting
Severity: Medium
date: Dec 16 2025

Prediction: No Official Patch

What Undercode Say:

Analytics:

  • Vulnerability ID: CVE-2025-14801
  • Reported by: red0_ha1yu (VulDB User)
  • Published Date: 2025-12-16
  • CVSS Score: 4.8 (MEDIUM)
  • Attack Vector: Network
  • User Interaction: Required
  • Exploit Maturity: Proof-of-Concept (Public)
  • EPSS Score (Probability of Exploitation): 0.028%
  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)
  • Confidence: High (Vendor unresponsive, exploit available)

Exploit:

Example Proof-of-Concept using cURL to inject a script tag.
This payload would be stored and executed when an admin views the comment.
TARGET_URL="http://<target-website>/admin/blog/comment/create"
SESSION_COOKIE="<your_admin_session_cookie>"
curl -i -X POST \
-H "Cookie: session=$SESSION_COOKIE" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "content=<script>alert('XSS_CVE-2025-14801')</script>" \
"$TARGET_URL"
echo "[+] Payload sent. Access the blog comment section to trigger."

Protection from this CVE:

  • Patch Application: No vendor patch available.
  • Input Sanitization: Implement strict output encoding and HTML sanitization on the `content` parameter.
  • WAF Rule: Block requests containing `
    Scroll to Top