CVE-2025-14722
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in vion707 DMadmin's backend component that allows attackers to inject malicious scripts via the Add function. The vulnerability can be exploited remotely and affects all versions up to commit 3403cafdb42537a648c30bf8cbc8148ec60437d1. Organizations using this software with internet-facing admin interfaces are at risk.
💻 Affected Systems
- vion707 DMadmin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, perform actions as administrators, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Session hijacking of admin accounts, defacement of admin interface, or credential theft through phishing-style attacks.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, or if admin interface is not internet-facing.
🎯 Exploit Status
Exploit details are publicly disclosed in GitHub repository. Attack requires access to admin interface but no authentication bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Vendor was contacted but did not respond. Consider alternative software or implement workarounds.
🔧 Temporary Workarounds
Implement Input Validation and Output Encoding
allAdd proper input validation and HTML encoding in the AddonsController.class.php file to sanitize user inputs.
Manual code modification required. Review and modify Admin/Controller/AddonsController.class.php
Restrict Admin Interface Access
linuxLimit access to the admin interface using firewall rules or VPN access only.
iptables -A INPUT -p tcp --dport [admin_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [admin_port] -j DROP
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Monitor admin interface access logs for suspicious activity and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check if your DMadmin version includes commit 3403cafdb42537a648c30bf8cbc8148ec60437d1 or earlier in the git history.Check Version:
git log --oneline -1Verify Fix Applied:
Test the Add function in the admin interface with XSS payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Admin/Controller/AddonsController.class.php with script tags or JavaScript in parameters
- Multiple failed admin login attempts followed by successful access
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in URL parameters or POST data to admin endpoints
SIEM Query:
source="web_logs" AND (uri="*AddonsController*" AND (param="*<script>*" OR param="*javascript:*"))