Scan free
LOWCVE-2025-2352CVSS 2.4

CVE-2025-2352: XSS in StarSea-Mall Backend

Platform

other

Component

starsea-mall

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

A cross-site scripting (XSS) vulnerability has been identified in StarSea-Mall Backend versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the categoryName parameter within the /admin/indexConfigs/save endpoint. Successful exploitation could lead to session hijacking or defacement of the administrative interface. A patch is available in version 1.0.1.

Impact and Attack Scenarios

The XSS vulnerability in StarSea-Mall Backend allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of the user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or modify the content displayed on the page. Given the administrative interface is targeted, a successful attack could grant the attacker control over the entire backend system, potentially leading to data breaches, system compromise, and further malicious activity. The lack of versioning makes it difficult to determine the full scope of affected deployments.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW (2.4), the potential impact on the administrative interface warrants immediate attention. No known active campaigns or KEV listing have been reported as of the publication date. Public proof-of-concept exploits are likely to emerge given the disclosure.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.08% (23% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N2.4LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentstarsea-mall
VendorStarSea99
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-2352 is to upgrade StarSea-Mall Backend to version 1.0.1, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the categoryName parameter within the /admin/indexConfigs/save endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and sanitize all user-supplied input to prevent further XSS vulnerabilities.

How to fix

Update to a patched version or apply the necessary security measures to prevent the execution of unwanted JavaScript code. Validate and sanitize user inputs, especially the categoryName parameter, to remove any malicious code before saving it to the database or displaying it in the interface.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-2352 — XSS in StarSea-Mall Backend?

CVE-2025-2352 is a cross-site scripting vulnerability in StarSea-Mall Backend versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/indexConfigs/save endpoint.

Am I affected by CVE-2025-2352 in StarSea-Mall Backend?

If you are using StarSea-Mall Backend version 1.0–1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2025-2352 in StarSea-Mall Backend?

Upgrade StarSea-Mall Backend to version 1.0.1. As an interim measure, implement input validation and sanitization on the categoryName parameter.

Is CVE-2025-2352 being actively exploited?

While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.

Where can I find the official StarSea-Mall advisory for CVE-2025-2352?

Contact StarSea99 directly for the official advisory regarding CVE-2025-2352.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs