Plateforme
other
Composant
starsea-mall
Corrigé dans
1.0.1
CVE-2025-2087 is a problematic cross-site scripting (XSS) vulnerability identified in StarSea Mall version 1.0. This flaw allows attackers to inject malicious scripts through the manipulation of the goodsName argument within the /admin/goods/update file. Affected versions include 1.0–1.0, and a patch is available in version 1.0.1.
Successful exploitation of CVE-2025-2087 allows an attacker to inject arbitrary JavaScript code into the StarSea Mall application. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and redirection of users to phishing sites. The vulnerability’s remote accessibility significantly broadens the attack surface, potentially impacting all users who interact with the /admin/goods/update endpoint. The impact is particularly severe for administrators, as compromised accounts could grant attackers full control over the application’s configuration and data.
CVE-2025-2087 has been publicly disclosed, increasing the likelihood of exploitation. No specific exploit campaigns or KEV listing are currently known. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the public disclosure warrants immediate attention. A public proof-of-concept may be available or developed soon.
Administrators of StarSea Mall installations running versions 1.0–1.0 are at direct risk. Shared hosting environments utilizing StarSea Mall are also vulnerable, as a compromised account on one site could potentially impact others on the same server.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 7%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-2087 is to upgrade StarSea Mall to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the goodsName parameter within the /admin/goods/update endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update input validation routines to prevent similar vulnerabilities from arising.
Actualizar a una versión parcheada que corrija la vulnerabilidad XSS. Si no hay una versión disponible, sanitizar la entrada 'goodsName' para evitar la inyección de código malicioso. Implementar validación y codificación de datos en el lado del servidor para prevenir futuros ataques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-2087 is a cross-site scripting (XSS) vulnerability in StarSea Mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/goods/update endpoint.
You are affected if you are running StarSea Mall version 1.0–1.0. Upgrade to version 1.0.1 or later to resolve the vulnerability.
Upgrade StarSea Mall to version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the goodsName parameter.
While no active exploitation campaigns are currently confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the StarSea Mall official website or security advisories for the latest information and updates regarding CVE-2025-2087.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.