CVE-2025-5135 MEDIUM

CVE-2025-5135: Tmall Demo Product Details Page admin cross site scripting

Vendor Tmall
Product Demo
Weakness CWE-79 · XSS
Published May 24, 2025
Last update May 28, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability, which was classified as problematic, has been found in Tmall Demo up to 20250505. Affected by this issue is some unknown functionality of the file /tmall/admin/ of the component Product Details Page. The manipulation of the argument Product Name/Product Title leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

May 24, 2025 CVE published
May 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-45837 WordPress Ultimate Taxonomy Manager Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS) CVE-2024-9414 Cross-site Scripting vulnerability in LCDS LAquis SCADA CVE-2025-0862 SuperSaaS – online appointment scheduling <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via after Parameter CVE-2025-54670 WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability CVE-2025-47943 Gogs stored XSS in PDF renderer