Platform
other
Component
starsea-mall
Fixed in
1.0.1
CVE-2025-0400 is a cross-site scripting (XSS) vulnerability identified in StarSea Mall version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability affects the /admin/categories/update file and is triggered by manipulating the categoryName argument. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-0400 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, defacement of the administrative interface, and theft of sensitive information such as user credentials or personal data. The attack is remotely exploitable, meaning an attacker does not need to be on the same network as the StarSea Mall server. The blast radius is limited to users interacting with the affected administrative panel.
CVE-2025-0400 has been publicly disclosed. While no active exploitation campaigns have been confirmed, the availability of the vulnerability details increases the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0400 is to upgrade StarSea Mall to version 1.0.1, which includes the necessary fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the categoryName parameter in the /admin/categories/update endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Update to a patched version or apply the necessary security measures to prevent the execution of XSS (Cross-Site Scripting) code. Validate and sanitize user inputs, especially the categoryName field, before displaying them in the administrative interface. Implement Content Security Policy (CSP) to mitigate the risk of XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0400 is a cross-site scripting (XSS) vulnerability affecting StarSea Mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/categories/update endpoint.
You are affected if you are using StarSea Mall version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade StarSea Mall to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the categoryName parameter.
While no active exploitation campaigns have been confirmed, the public disclosure increases the risk of exploitation.
Refer to the StarSea Mall official website or security channels for the advisory related to CVE-2025-0400.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.