プラットフォーム
php
コンポーネント
bb6781e5977bda36610fda20861a5bbe
修正版
1.0.1
CVE-2025-9237 is a cross-site scripting (XSS) vulnerability discovered in CodeAstro Ecommerce Website version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides in the /customer/myaccount.php?editaccount file, specifically the Username parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-9237 allows an attacker to inject arbitrary JavaScript code into the CodeAstro Ecommerce Website. This can be used to steal user session cookies, redirect users to malicious websites, or deface the website. The impact is heightened because the vulnerability is remotely exploitable and the exploit is publicly available. Attackers could leverage this to gain unauthorized access to user accounts, potentially leading to data theft or further compromise of the e-commerce platform. The blast radius extends to all users who interact with the affected 'Edit Your Account' page.
The exploit for CVE-2025-9237 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability is rated LOW severity based on the CVSS score. As of the publication date, there's no indication of active exploitation campaigns targeting this specific vulnerability, but the public availability of the exploit means it could be incorporated into automated scanning tools or exploited by less sophisticated attackers. This CVE was published on 2025-08-20.
E-commerce businesses using CodeAstro Ecommerce Website version 1.0 are at direct risk. Shared hosting environments where multiple websites share the same server are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others. Users who frequently update their account information through the 'Edit Your Account' page are also at higher risk.
• php / web:
curl -s -X POST "http://your-website.com/customer/my_account.php?edit_account" -d "Username=<script>alert('XSS')</script>" | grep -i alert• generic web:
curl -I http://your-website.com/customer/my_account.php?edit_account&Username=<script>alert('XSS')</script>• generic web: Examine access logs for requests to /customer/myaccount.php?editaccount containing suspicious characters or script tags in the Username parameter.
disclosure
エクスプロイト状況
EPSS
0.05% (14% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-9237 is to upgrade CodeAstro Ecommerce Website to version 1.0.1 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the Username parameter in the /customer/my_account.php file. This can help prevent malicious scripts from being injected. While a WAF might offer some protection, it's not a substitute for patching the vulnerability. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the Username parameter and verifying that it is properly sanitized.
CodeAstro Ecommerce Website ソフトウェアを、この XSS 脆弱性を修正するパッチが適用されたバージョンにアップデートしてください。利用可能なバージョンがない場合は、/customer/my_account.php?edit_account ファイルにおけるユーザー入力を検証およびフィルタリングし、特に Username パラメータにおいて、悪意のあるコードの注入を防ぐようにしてください。サーバーサイドでデータの検証とサニタイズを実装して、XSS 攻撃を防止してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-9237 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Ecommerce Website version 1.0, allowing attackers to inject malicious scripts via the Username parameter in the edit account page.
You are affected if you are using CodeAstro Ecommerce Website version 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade CodeAstro Ecommerce Website to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the Username parameter.
While there's no confirmed active exploitation, the exploit is publicly available, increasing the risk of exploitation.
Refer to the CodeAstro website or their official security advisory channels for the latest information regarding CVE-2025-9237.