关联漏洞
介绍
# CVE-2025-25620
Unifiedtransform v2.X is vulnerable to Stored Cross-Site Scripting (XSS) in the "Create Assignment" function, allowing attackers to execute malicious scripts in the context of other users' sessions.
Vendor: [Unifiedtransform](https://github.com/changeweb/Unifiedtransform)
---
## PoC
**Step 1:** Log in to the application as a Teacher.
**Step 2:** Create an assignment and upload a PDF file containing an XSS payload.
**Step 3:** Navigate to the "View Assignment" section under Courses and open the uploaded assignment.
**Impact:** Malicious scripts execute when the assignment is viewed, potentially leading to Account Takeover (ATO) and other severe security implications.
---
**Vulnerability Type:** Cross-Site Scripting (XSS)
**Attack Type:** Remote
**Impact:** Code Execution
**Attack Vectors:** Stored XSS through assignment creation, triggered upon assignment view.
**Discoverer:** Armaan Sidana
**References:**
- [Unifiedtransform Official Site](http://unifiedtransform.com)
- [Unifiedtransform GitHub Repository](https://github.com/changeweb/Unifiedtransform)
文件快照
[4.0K] /data/pocs/d535ff68642abbcaada6bbb22cc12299f85202ff
├── [1.1K] README.md
└── [127K] xss.pdf
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。