CVE-2025-5135

Overview

A problematic vulnerability has been identified in Tmall Demo, enabling a remote Cross Site Scripting (XSS) attack. This issue, impacting an unknown functionality in the product details page file, can be manipulated through exploitation of the Product Name/Product Title argument.

Technical Details

The vulnerability is present within the /tmall/admin/ component of Tmall Demo software. The unknown functionality of the file seems to contain an argument—Product Name/Product Title—that is vulnerable to XSS attacks when manipulated.

CVSS Metrics

• Base Score: 4.8
• Attack Vector: NETWORK
• Attack Complexity: LOW
• Privileges Required: HIGH
• User Interaction: PASSIVE
• Vulnerability Confidentiality Impact: NONE
• Vulnerability Integrity Impact: LOW
• Vulnerability Availability Impact: NONE

Impact

A successful remote XSS attack can pose serious threats as it can lead to breaching of user data and unauthorized access.

Recommendations

Regular security patches should be applied to fix this vulnerability. Secure coding techniques should be adopted to prevent such vulnerabilities, including validating inputs and encoding special characters.

Threat Metrics -

• cvss_score: 4.8
• severity: MEDIUM
• attack_vector: NETWORK
• attack_complexity: LOW

Related CWEs

• CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-94 - Improper Control of Generation of Code ('Code Injection')