CVE-2025-5523: enilu web-flash File Upload upload fileService.upload cross site scripting

3.5 CVSS

Description

A vulnerability classified as problematic has been found in enilu web-flash 1.0. This affects the function fileService.upload of the file src/main/java/cn/enilu/flash/api/controller/FileController/upload of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine Schwachstelle in enilu web-flash 1.0 entdeckt. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion fileService.upload der Datei src/main/java/cn/enilu/flash/api/controller/FileController/upload der Komponente File Upload. Dank der Manipulation des Arguments File mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

Classification

CVE ID: CVE-2025-5523

CVSS Base Severity: LOW

CVSS Base Score: 3.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Problem Types

Cross Site Scripting Code Injection

Affected Products

Vendor: enilu

Product: web-flash

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.42% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5523
https://vuldb.com/?id.310959
https://vuldb.com/?ctiid.310959
https://vuldb.com/?submit.585342
https://gitee.com/enilu/web-flash/issues/ICAXTM

Timeline

2025-06-03 20:40:18 UTC
CVE

enilu web-flash File Upload upload fileService.upload cross site scripting