Plateforme
javascript
Composant
local-storage-todo-app
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Local Storage Todo App versions 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides in the /js-todo-app/index.html file and is triggered by manipulating the 'Add' argument. The issue is resolved in version 1.0.1.
Successful exploitation of CVE-2025-0228 allows an attacker to inject arbitrary JavaScript code into the Local Storage Todo App. This could lead to various malicious actions, including stealing user credentials, redirecting users to phishing sites, or defacing the application's interface. The attacker can initiate the attack remotely, making it a significant risk for users who interact with the application. The impact is amplified if the application handles sensitive data or is integrated with other systems.
This vulnerability has been publicly disclosed. While no active exploitation campaigns have been definitively linked to CVE-2025-0228, the availability of a public exploit increases the risk of opportunistic attacks. The vulnerability is not currently listed on CISA KEV. A public proof-of-concept may be available, further increasing the likelihood of exploitation.
Users of Local Storage Todo App version 1.0 are at risk, particularly those who rely on the application for managing sensitive information or who share hosting environments with other applications. Individuals using the application in a production environment or with access to critical data are especially vulnerable.
disclosure
Statut de l'Exploit
EPSS
0.09% (percentile 26%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-0228 is to upgrade to version 1.0.1 of Local Storage Todo App. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Add' argument to prevent malicious code from being injected. While a direct workaround is limited, careful code review of the index.html file can identify potential areas for manual sanitization. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload via the 'Add' argument and verifying that it is not executed.
Mettre à jour ou désinstaller l'application Local Storage Todo App. Étant donné qu'il s'agit d'une application simple, il est crucial de vérifier et de désinfecter l'entrée utilisateur dans le fichier index.html pour prévenir les attaques XSS (Cross-Site Scripting). Alternativement, implémenter une politique de sécurité de contenu (CSP) pour atténuer le risque.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-0228 is a cross-site scripting (XSS) vulnerability affecting Local Storage Todo App versions 1.0, allowing remote attackers to inject malicious scripts.
Yes, if you are using Local Storage Todo App version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 of Local Storage Todo App. If upgrading is not possible, implement input validation on the 'Add' argument.
While no confirmed active exploitation campaigns are known, the public disclosure and potential availability of a proof-of-concept increase the risk of exploitation.
Refer to the project's official repository or website for the latest advisory and release notes regarding CVE-2025-0228.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.