{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-5523","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-06-03T09:39:28.680Z","datePublished":"2025-06-03T19:31:20.057Z","dateUpdated":"2025-06-03T20:15:24.579Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-06-03T19:31:20.057Z"},"title":"enilu web-flash File Upload upload fileService.upload cross site scripting","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-79","lang":"en","description":"Cross Site Scripting"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-94","lang":"en","description":"Code Injection"}]}],"affected":[{"vendor":"enilu","product":"web-flash","versions":[{"version":"1.0","status":"affected"}],"modules":["File Upload"]}],"descriptions":[{"lang":"en","value":"A vulnerability classified as problematic has been found in enilu web-flash 1.0. This affects the function fileService.upload of the file src/main/java/cn/enilu/flash/api/controller/FileController/upload of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."},{"lang":"de","value":"Es wurde eine Schwachstelle in enilu web-flash 1.0 entdeckt. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion fileService.upload der Datei src/main/java/cn/enilu/flash/api/controller/FileController/upload der Komponente File Upload. Dank der Manipulation des Arguments File mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.1,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":3.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N","baseSeverity":"LOW"}},{"cvssV3_0":{"version":"3.0","baseScore":3.5,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N","baseSeverity":"LOW"}},{"cvssV2_0":{"version":"2.0","baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:N"}}],"timeline":[{"time":"2025-06-03T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-06-03T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-06-03T11:44:32.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"electroN1c (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.310959","name":"VDB-310959 | enilu web-flash File Upload upload fileService.upload cross site scripting","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.310959","name":"VDB-310959 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.585342","name":"Submit #585342 | enilu web-flash 1.0 Arbitrary File Upload","tags":["third-party-advisory"]},{"url":"https://gitee.com/enilu/web-flash/issues/ICAXTM","tags":["broken-link","exploit","issue-tracking"]}]},"adp":[{"references":[{"url":"https://gitee.com/enilu/web-flash/issues/ICAXTM","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-06-03T20:15:08.540329Z","id":"CVE-2025-5523","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-03T20:15:24.579Z"}}]}}