Plateforme
other
Composant
starsea-mall
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in StarSea-Mall Backend versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the categoryName parameter within the /admin/indexConfigs/save endpoint. Successful exploitation could lead to session hijacking or defacement of the administrative interface. A patch is available in version 1.0.1.
The XSS vulnerability in StarSea-Mall Backend allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of the user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or modify the content displayed on the page. Given the administrative interface is targeted, a successful attack could grant the attacker control over the entire backend system, potentially leading to data breaches, system compromise, and further malicious activity. The lack of versioning makes it difficult to determine the full scope of affected deployments.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW (2.4), the potential impact on the administrative interface warrants immediate attention. No known active campaigns or KEV listing have been reported as of the publication date. Public proof-of-concept exploits are likely to emerge given the disclosure.
Organizations utilizing StarSea-Mall Backend in their deployments, particularly those with administrative access exposed through the /admin/indexConfigs/save endpoint, are at risk. Shared hosting environments where multiple users share the same StarSea-Mall Backend instance are also potentially vulnerable.
disclosure
Statut de l'Exploit
EPSS
0.08% (percentile 23%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-2352 is to upgrade StarSea-Mall Backend to version 1.0.1, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the categoryName parameter within the /admin/indexConfigs/save endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and sanitize all user-supplied input to prevent further XSS vulnerabilities.
Mettre à jour vers une version corrigée ou appliquer les mesures de sécurité nécessaires pour éviter l'exécution de code JavaScript non désiré. Valider et nettoyer les entrées utilisateur, en particulier le paramètre categoryName, pour supprimer tout code malveillant avant de le sauvegarder dans la base de données ou de l'afficher dans l'interface.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-2352 is a cross-site scripting vulnerability in StarSea-Mall Backend versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/indexConfigs/save endpoint.
If you are using StarSea-Mall Backend version 1.0–1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade StarSea-Mall Backend to version 1.0.1. As an interim measure, implement input validation and sanitization on the categoryName parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Contact StarSea99 directly for the official advisory regarding CVE-2025-2352.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.