CVE-2025-15416

2.4 LOW
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the 'Remark' or 'Variable Value' parameters of the Add Global Variable Handler in xnx3 wangmarket. The stored cross-site scripting (XSS) can be executed remotely, potentially affecting users who access the compromised pages. Systems running wangmarket up to version 6.4 are vulnerable.

💻 Affected Systems

Products:
  • xnx3 wangmarket
Versions: Up to and including 6.4
Operating Systems: Any OS running wangmarket
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the /siteVar/save.do endpoint of the Add Global Variable Handler component.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface the website.

🟠

Likely Case

Attackers inject malicious scripts that execute in users' browsers, potentially stealing session tokens or performing limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available on GitHub, and the vulnerability requires authentication to access the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version above 6.4 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization of 'Remark' and 'Variable Value' parameters to strip or encode HTML/JavaScript content.

Content Security Policy (CSP)

all

Implement a strict Content Security Policy header to prevent execution of inline scripts and unauthorized script sources.

🧯 If You Can't Patch

  • Restrict access to the /siteVar/save.do endpoint using network controls or web application firewalls (WAF).
  • Implement output encoding in the application to ensure user input is treated as text rather than executable code.

🔍 How to Verify

Check if Vulnerable:

Check if your wangmarket version is 6.4 or earlier and if the /siteVar/save.do endpoint accepts unsanitized input in Remark/Variable Value parameters.

Check Version:

Check the application's version in its admin panel or configuration files.

Verify Fix Applied:

Test the vulnerable endpoint with XSS payloads to ensure they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /siteVar/save.do with script tags or JavaScript in parameters
  • Multiple failed attempts to access the endpoint

Network Indicators:

  • HTTP requests containing <script> tags or JavaScript functions in POST data to the vulnerable endpoint

SIEM Query:

source="web_server" AND (url="/siteVar/save.do" AND (post_data CONTAINS "<script>" OR post_data CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-15416
CVSS v3 Score: 2.4 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
Published: January 1, 2026
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15416, you might also want to check these:

CVE-2025-69970 9.3

FUXA v1.2.7 has an insecure default configuration where authentication is disabled by default due to...

Same vulnerability type (CWE-79)
CVE-2026-24838 9.1

This vulnerability allows attackers to inject malicious scripts into DNN module titles, which execut...

Same vulnerability type (CWE-79)
CVE-2026-24769 9.0

Authenticated users can upload malicious SVG files containing JavaScript in NocoDB versions before 0...

Same vulnerability type (CWE-79)