CVE-2025-5134 MEDIUM

CVE-2025-5134: Tmall Demo Buy Item Page cross site scripting

Vendor Tmall
Product Demo
Weakness CWE-79 · XSS
Published May 24, 2025
Last update May 28, 2025
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability classified as problematic was found in Tmall Demo up to 20250505. Affected by this vulnerability is an unknown functionality of the component Buy Item Page. The manipulation of the argument Detailed Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

May 24, 2025 CVE published
May 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-4193 Testimonial Slider <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-64716 Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode CVE-2025-4054 Relevanssi <= 4.24.3 (Free) and <= 2.27.4 (Premium) - Unauthenticated Stored Cross-Site Scripting via Search Highlights CVE-2025-64852 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2026-27616 Vikunja Vulnerable to Stored Cross-Site Scripting (XSS) via Unsanitized SVG Attachment Upload Leading to Token Exposure