Platform
other
Component
starsea-mall
Opgelost in
1.0.1
CVE-2025-0400 is a cross-site scripting (XSS) vulnerability identified in StarSea Mall version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability affects the /admin/categories/update file and is triggered by manipulating the categoryName argument. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-0400 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, defacement of the administrative interface, and theft of sensitive information such as user credentials or personal data. The attack is remotely exploitable, meaning an attacker does not need to be on the same network as the StarSea Mall server. The blast radius is limited to users interacting with the affected administrative panel.
CVE-2025-0400 has been publicly disclosed. While no active exploitation campaigns have been confirmed, the availability of the vulnerability details increases the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
Administrators and users with access to the /admin/categories/update endpoint of StarSea Mall are at risk. Shared hosting environments where multiple users share the same StarSea Mall installation are particularly vulnerable, as an attacker could potentially compromise other users' accounts.
disclosure
Exploit Status
EPSS
0.11% (30% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-0400 is to upgrade StarSea Mall to version 1.0.1, which includes the necessary fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the categoryName parameter in the /admin/categories/update endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la ejecución de código XSS. Validar y limpiar las entradas del usuario, especialmente el campo categoryName, antes de mostrarlo en la interfaz administrativa. Implementar políticas de seguridad de contenido (CSP) para mitigar el riesgo de XSS.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-0400 is a cross-site scripting (XSS) vulnerability affecting StarSea Mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/categories/update endpoint.
You are affected if you are using StarSea Mall version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade StarSea Mall to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the categoryName parameter.
While no active exploitation campaigns have been confirmed, the public disclosure increases the risk of exploitation.
Refer to the StarSea Mall official website or security channels for the advisory related to CVE-2025-0400.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.