平台
php
组件
19d21e7fdbaf3512fccfd75df3080657
修复版本
1.0.1
CVE-2025-0295 describes a cross-site scripting (XSS) vulnerability discovered in Online Book Shop version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability specifically targets the /booklist.php file and is triggered by manipulating the 'subcatnm' parameter. A patch is available in version 1.0.1.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted 'subcatnm' parameter. When a user clicks on this link, the injected script will execute within their browser context, under the user's privileges. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or deface the website. The impact is limited to the user interacting with the malicious link, but the consequences can be severe, including account compromise and data theft. The vulnerability's location within a book listing page suggests a potential attack vector targeting users browsing the online store.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No known active campaigns targeting this specific CVE have been reported as of the publication date. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation. The vulnerability is tracked by the NVD and CISA.
Users of Online Book Shop version 1.0 are directly at risk. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as an attacker could potentially compromise other websites hosted on the same server if they can exploit this vulnerability.
• php / web:
grep -r 'subcatnm' /var/www/html/booklist.php | grep -i '<script'• generic web:
curl -I 'http://your-online-book-shop.com/booklist.php?subcatnm=<script>alert(1)</script>' | grep 'Content-Type' # Check for script executiondisclosure
漏洞利用状态
EPSS
0.24% (46% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-0295 is to upgrade to version 1.0.1 of Online Book Shop, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'subcatnm' parameter in /booklist.php. This should include escaping any potentially harmful characters before rendering the parameter in the HTML output. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Review and update any existing security policies to address XSS vulnerabilities.
升级到补丁版本或应用一种解决方案,以过滤或转义文件 '/booklist.php' 中 'subcatnm' 参数的输入,以防止 XSS 代码的执行。验证和清理用户输入对于防止此类漏洞至关重要。如果未提供补丁版本,请考虑禁用或删除受影响的功能,直到可以应用解决方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-0295 is a cross-site scripting (XSS) vulnerability affecting Online Book Shop versions 1.0 through 1.0, allowing attackers to inject malicious scripts.
If you are using Online Book Shop version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'subcatnm' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Online Book Shop project's official website or security advisory page for the latest information and updates regarding CVE-2025-0295.