CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2491 – Dromara ujcms Edit Template File Page WebFileTemplateController.java update cross site scripting
https://notcve.org/view.php?id=CVE-2025-2491
18 Mar 2025 — A vulnerability classified as problematic has been found in Dromara ujcms 9.7.5. This affects the function update of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileTemplateController.java of the component Edit Template File Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/dromara/ujcms/issues/14 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2490 – Dromara ujcms File Upload WebFileUploadController.java upload cross site scripting
https://notcve.org/view.php?id=CVE-2025-2490
18 Mar 2025 — A vulnerability was found in Dromara ujcms 9.7.5. It has been rated as problematic. Affected by this issue is the function uploadZip/upload of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java of the component File Upload. The manipulation leads to cross site scripting. The attack may be launched remotely. • https://github.com/dromara/ujcms/issues/12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •