1.0.1
CVE-2025-2085 is a problematic cross-site scripting (XSS) vulnerability identified in starsea-mall versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the redirectUrl parameter within the /admin/carousels/save endpoint. A fix is available in version 1.0.1, and the vulnerability details have been publicly disclosed.
Successful exploitation of CVE-2025-2085 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the starsea-mall application. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and theft of sensitive user data, such as login credentials or personal information. Given the administrative context of the affected endpoint, an attacker could potentially gain control over the entire application if they can successfully inject and execute malicious code.
CVE-2025-2085 has been publicly disclosed, indicating a higher probability of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on administrative functions warrant attention. No known active campaigns or public proof-of-concept exploits have been reported as of the publication date, but the public disclosure increases the risk of future exploitation.
Administrators and users of starsea-mall version 1.0 are at risk. Shared hosting environments utilizing starsea-mall are particularly vulnerable, as a compromised account on one site could potentially impact other sites hosted on the same server.
disclosure
エクスプロイト状況
EPSS
0.09% (25% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-2085 is to upgrade starsea-mall to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the redirectUrl parameter to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Verify the upgrade by attempting to access the /admin/carousels/save endpoint with a crafted redirectUrl parameter after the upgrade; the parameter should be properly sanitized and not execute any JavaScript.
XSS脆弱性を修正した starsea-mall のパッチバージョンにアップデートしてください。パッチバージョンが利用できない場合は、redirectUrl パラメータの入力をサニタイズして、悪意のあるコードのインジェクションを回避することを推奨します。一時的な対策として、コンテンツセキュリティポリシー (CSP) を実装して、不正なスクリプトの実行リスクを軽減できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-2085 is a cross-site scripting (XSS) vulnerability in starsea-mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the redirectUrl parameter.
You are affected if you are using starsea-mall version 1.0. Upgrade to 1.0.1 or later to mitigate the risk.
Upgrade starsea-mall to version 1.0.1 or later. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
While no active campaigns are currently confirmed, the public disclosure increases the risk of future exploitation.
Refer to the starsea-mall project's official website or repository for the latest security advisories and updates.