Plateforme
other
Composant
security
Corrigé dans
1.0.1
CVE-2025-2085 is a problematic cross-site scripting (XSS) vulnerability identified in starsea-mall versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the redirectUrl parameter within the /admin/carousels/save endpoint. A fix is available in version 1.0.1, and the vulnerability details have been publicly disclosed.
Successful exploitation of CVE-2025-2085 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the starsea-mall application. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and theft of sensitive user data, such as login credentials or personal information. Given the administrative context of the affected endpoint, an attacker could potentially gain control over the entire application if they can successfully inject and execute malicious code.
CVE-2025-2085 has been publicly disclosed, indicating a higher probability of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on administrative functions warrant attention. No known active campaigns or public proof-of-concept exploits have been reported as of the publication date, but the public disclosure increases the risk of future exploitation.
Administrators and users of starsea-mall version 1.0 are at risk. Shared hosting environments utilizing starsea-mall are particularly vulnerable, as a compromised account on one site could potentially impact other sites hosted on the same server.
disclosure
Statut de l'Exploit
EPSS
0.09% (percentile 25%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-2085 is to upgrade starsea-mall to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the redirectUrl parameter to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Verify the upgrade by attempting to access the /admin/carousels/save endpoint with a crafted redirectUrl parameter after the upgrade; the parameter should be properly sanitized and not execute any JavaScript.
Mettre à jour vers une version corrigée de starsea-mall qui résout la vulnérabilité XSS. Si aucune version n'est disponible, il est recommandé de nettoyer les entrées du paramètre redirectUrl pour éviter l'injection de code malveillant. En tant que mesure temporaire, une politique de sécurité de contenu (CSP) peut être implémentée pour atténuer le risque d'exécution de scripts non autorisés.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-2085 is a cross-site scripting (XSS) vulnerability in starsea-mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the redirectUrl parameter.
You are affected if you are using starsea-mall version 1.0. Upgrade to 1.0.1 or later to mitigate the risk.
Upgrade starsea-mall to version 1.0.1 or later. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
While no active campaigns are currently confirmed, the public disclosure increases the risk of future exploitation.
Refer to the starsea-mall project's official website or repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.