Plataforma
other
Componente
security
Corrigido em
1.0.1
CVE-2025-2085 is a problematic cross-site scripting (XSS) vulnerability identified in starsea-mall versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the redirectUrl parameter within the /admin/carousels/save endpoint. A fix is available in version 1.0.1, and the vulnerability details have been publicly disclosed.
Successful exploitation of CVE-2025-2085 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the starsea-mall application. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and theft of sensitive user data, such as login credentials or personal information. Given the administrative context of the affected endpoint, an attacker could potentially gain control over the entire application if they can successfully inject and execute malicious code.
CVE-2025-2085 has been publicly disclosed, indicating a higher probability of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on administrative functions warrant attention. No known active campaigns or public proof-of-concept exploits have been reported as of the publication date, but the public disclosure increases the risk of future exploitation.
Administrators and users of starsea-mall version 1.0 are at risk. Shared hosting environments utilizing starsea-mall are particularly vulnerable, as a compromised account on one site could potentially impact other sites hosted on the same server.
disclosure
Status do Exploit
EPSS
0.09% (percentil 25%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-2085 is to upgrade starsea-mall to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the redirectUrl parameter to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Verify the upgrade by attempting to access the /admin/carousels/save endpoint with a crafted redirectUrl parameter after the upgrade; the parameter should be properly sanitized and not execute any JavaScript.
Atualizar para uma versão corrigida de starsea-mall que solucione a vulnerabilidade XSS. Se nenhuma versão estiver disponível, recomenda-se sanitizar as entradas do parâmetro redirectUrl para evitar a injeção de código malicioso. Como medida temporária, uma política de segurança de conteúdo (CSP) pode ser implementada para mitigar o risco de execução de scripts não autorizados.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-2085 is a cross-site scripting (XSS) vulnerability in starsea-mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the redirectUrl parameter.
You are affected if you are using starsea-mall version 1.0. Upgrade to 1.0.1 or later to mitigate the risk.
Upgrade starsea-mall to version 1.0.1 or later. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
While no active campaigns are currently confirmed, the public disclosure increases the risk of future exploitation.
Refer to the starsea-mall project's official website or repository for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.