プラットフォーム
php
コンポーネント
fc65dafa7237cc66a18ef6005075c31b
修正版
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Online Shop versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /view.php file and is triggered by manipulating the 'name/details' parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-0175 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, defacement of the website, and redirection to phishing sites. Sensitive information, such as user credentials and personal data, could be stolen. The impact is amplified if the Online Shop is used to process financial transactions or handle sensitive customer information, potentially leading to significant financial and reputational damage.
This vulnerability has been publicly disclosed. While no active exploitation campaigns have been confirmed, the availability of the vulnerability details increases the risk of exploitation. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but proactive mitigation is still recommended. The vulnerability was published on 2025-01-03.
Small to medium-sized businesses utilizing code-projects Online Shop version 1.0 for e-commerce or product display are at risk. Shared hosting environments where multiple users share the same server resources are particularly vulnerable, as a compromise of one user's installation could potentially impact others.
• php / web:
grep -r "name/details" /var/www/html/view.php• generic web:
curl -I http://your-shop-url.com/view.php?name/details=<script>alert(1)</script>disclosure
エクスプロイト状況
EPSS
0.14% (34% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-0175 is to upgrade to version 1.0.1 of Online Shop, which includes the necessary fix. If upgrading immediately is not feasible, implement strict input validation and output encoding on the 'name/details' parameter within the /view.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update the application's security configuration to minimize the attack surface.
パッチが適用されたバージョンにアップデートするか、XSS 脆弱性を回避するために必要なセキュリティ対策を適用してください。ファイル /view.php で、特に 'name' および 'details' パラメータのユーザー入力を検証およびサニタイズします。HTML エスケープ関数を使用して、悪意のあるコードの実行を防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-0175 is a cross-site scripting (XSS) vulnerability affecting Online Shop versions 1.0 through 1.0, allowing attackers to inject malicious scripts via the /view.php file.
Yes, if you are running Online Shop version 1.0, you are vulnerable to this XSS attack. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement strict input validation and output encoding on the 'name/details' parameter.
While no active exploitation campaigns have been confirmed, the public disclosure of the vulnerability increases the risk of exploitation. Proactive mitigation is advised.
Refer to the code-projects website or relevant security forums for the official advisory regarding CVE-2025-0175.