CVE-2025-14801 in TMS
Summary
by MITRE • 12/17/2025
A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/08/2026
This vulnerability resides within the xiweicheng TMS content management system version 2.28.0 and earlier, specifically targeting the createComment function located in the /admin/blog/comment/create endpoint. The flaw represents a classic cross-site scripting vulnerability that allows remote attackers to inject malicious scripts into the application's comment creation functionality. The vulnerability stems from inadequate input validation and sanitization of the content parameter, which permits attackers to submit malicious payloads that execute in the context of other users' browsers when they view the affected comments.
The technical implementation of this vulnerability aligns with CWE-79, which describes cross-site scripting flaws where untrusted data is directly incorporated into web pages without proper validation or encoding. The attack vector is particularly concerning as it operates entirely remotely, requiring no local access or authentication to exploit. An attacker can simply submit a malicious comment containing javascript code through the createComment endpoint, which then gets stored and executed whenever other users browse the affected blog section. This creates a persistent XSS vulnerability that can be leveraged for session hijacking, credential theft, or redirection to malicious sites.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to compromise user sessions and potentially escalate privileges within the application. Users who view the malicious comments could have their browser sessions hijacked, leading to unauthorized access to administrative functions or data manipulation. The vulnerability's public disclosure status significantly increases the risk profile as threat actors can readily exploit it without requiring advanced technical knowledge or reconnaissance. Given that the vendor did not respond to early disclosure attempts, organizations using this software face an elevated risk of exploitation without immediate remediation options.
Organizations should immediately implement defensive measures including input validation at the application level, output encoding of all user-supplied content, and content security policy implementation to prevent script execution. The recommended mitigation strategies include validating all comment content against a strict whitelist of allowed characters, implementing proper HTML encoding for display purposes, and considering the use of CSP headers to restrict script execution. Additionally, administrators should consider implementing rate limiting on comment creation endpoints to prevent automated exploitation attempts. This vulnerability demonstrates the critical importance of input validation and the potential for remote code execution through seemingly simple functionality, aligning with ATT&CK technique T1566 for initial access through web application attacks. The lack of vendor response underscores the necessity for organizations to maintain independent security monitoring and remediation capabilities.