1.0.1
CVE-2025-2086 is a problematic cross-site scripting (XSS) vulnerability discovered in starsea-mall version 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the redirectUrl parameter, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0 through 1.0, and a fix is available in version 1.0.1.
Successful exploitation of CVE-2025-2086 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as cookies and session tokens, enabling the attacker to impersonate the user. The attacker could also modify the content of the page, redirect users to malicious websites, or launch further attacks against the user's system. Given the nature of XSS, the impact can range from minor annoyance to complete compromise of user accounts and data.
This vulnerability has been publicly disclosed. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date, but the public availability of the exploit increases the risk of opportunistic attacks. The vulnerability was disclosed on 2025-03-07.
Starsea-mall deployments, particularly those running version 1.0, are at risk. Shared hosting environments where multiple users share the same instance of starsea-mall are especially vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.
disclosure
漏洞利用状态
EPSS
0.09% (25% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-2086 is to upgrade starsea-mall to version 1.0.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the redirectUrl parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Review and harden the application's security configuration to minimize the attack surface.
将 starsea-mall 更新到修复了 XSS 漏洞的补丁版本。有关更新的更多信息,请参阅版本说明或供应商网站。作为临时措施,过滤或转义 redirectUrl 参数中的用户输入以防止脚本注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-2086 is a cross-site scripting (XSS) vulnerability in starsea-mall versions 1.0–1.0, allowing attackers to inject malicious scripts via the redirectUrl parameter.
You are affected if you are running starsea-mall version 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade starsea-mall to version 1.0.1 or later. Implement input validation and sanitization on the redirectUrl parameter as a temporary workaround.
No active campaigns targeting this specific vulnerability have been confirmed, but the public disclosure increases the risk of opportunistic attacks.
Refer to the starsea-mall project's official website or repository for the latest security advisories and updates.