プラットフォーム
other
コンポーネント
starsea-mall
修正版
1.0.1
CVE-2025-2086 is a problematic cross-site scripting (XSS) vulnerability discovered in starsea-mall version 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the redirectUrl parameter, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0 through 1.0, and a fix is available in version 1.0.1.
Successful exploitation of CVE-2025-2086 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as cookies and session tokens, enabling the attacker to impersonate the user. The attacker could also modify the content of the page, redirect users to malicious websites, or launch further attacks against the user's system. Given the nature of XSS, the impact can range from minor annoyance to complete compromise of user accounts and data.
This vulnerability has been publicly disclosed. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date, but the public availability of the exploit increases the risk of opportunistic attacks. The vulnerability was disclosed on 2025-03-07.
Starsea-mall deployments, particularly those running version 1.0, are at risk. Shared hosting environments where multiple users share the same instance of starsea-mall are especially vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.
disclosure
エクスプロイト状況
EPSS
0.09% (25% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-2086 is to upgrade starsea-mall to version 1.0.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the redirectUrl parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Review and harden the application's security configuration to minimize the attack surface.
XSS脆弱性を修正するパッチが適用されたstarsea-mallのバージョンにアップデートしてください。アップデートに関する詳細については、リリースノートまたはベンダーのウェブサイトを参照してください。一時的な対策として、redirectUrlパラメータへのユーザー入力のフィルタリングまたはエスケープを行い、スクリプトインジェクションを回避してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-2086 is a cross-site scripting (XSS) vulnerability in starsea-mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the redirectUrl parameter.
You are affected if you are running starsea-mall version 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade starsea-mall to version 1.0.1 or later. Implement input validation and sanitization on the redirectUrl parameter as a temporary workaround.
No active campaigns targeting this specific vulnerability have been confirmed, but the public disclosure increases the risk of opportunistic attacks.
Refer to the starsea-mall project's official website or repository for the latest security advisories and updates.