Platform
other
Component
starsea-mall
Fixed in
1.0.1
CVE-2025-2087 is a problematic cross-site scripting (XSS) vulnerability identified in StarSea Mall version 1.0. This flaw allows attackers to inject malicious scripts through the manipulation of the goodsName argument within the /admin/goods/update file. Affected versions include 1.0–1.0, and a patch is available in version 1.0.1.
Successful exploitation of CVE-2025-2087 allows an attacker to inject arbitrary JavaScript code into the StarSea Mall application. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and redirection of users to phishing sites. The vulnerability’s remote accessibility significantly broadens the attack surface, potentially impacting all users who interact with the /admin/goods/update endpoint. The impact is particularly severe for administrators, as compromised accounts could grant attackers full control over the application’s configuration and data.
CVE-2025-2087 has been publicly disclosed, increasing the likelihood of exploitation. No specific exploit campaigns or KEV listing are currently known. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the public disclosure warrants immediate attention. A public proof-of-concept may be available or developed soon.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2087 is to upgrade StarSea Mall to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the goodsName parameter within the /admin/goods/update endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update input validation routines to prevent similar vulnerabilities from arising.
Update to a patched version that fixes the XSS vulnerability. If no version is available, sanitize the 'goodsName' input to prevent the injection of malicious code. Implement data validation and encoding on the server-side to prevent future XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2087 is a cross-site scripting (XSS) vulnerability in StarSea Mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/goods/update endpoint.
You are affected if you are running StarSea Mall version 1.0–1.0. Upgrade to version 1.0.1 or later to resolve the vulnerability.
Upgrade StarSea Mall to version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the goodsName parameter.
While no active exploitation campaigns are currently confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the StarSea Mall official website or security advisories for the latest information and updates regarding CVE-2025-2087.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.