Listen to this Post
The CVE-2025-12345 vulnerability exists within the Create function of the Moonshine admin panel. The `Link` form field fails to properly sanitize user input before rendering it on the page. An attacker can submit a new containing a malicious payload within the Link attribute, such as <script>alert('XSS')</script>. This payload is then stored in the application’s database. When an authenticated administrator views the list of s or edits the malicious entry, the stored JavaScript payload is retrieved and executed within their browser session. This execution occurs in the context of the admin user, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or deface the admin interface.
Platform: Moonshine
Version: v3.12.3
Vulnerability: Stored XSS
Severity: Moderate
date: 2025-08-19
Prediction: 2025-09-02
What Undercode Say:
curl -X POST http://<target>/admin/s \
-H "Authorization: Bearer <token>" \
-d "=Test&link=javascript:alert('XSS')//"
<img src=x onerror=fetch('/steal?cookie='+document.cookie)>
How Exploit:
Inject malicious script into the `link` parameter during creation. The payload executes upon admin viewing.
Protection from this CVE:
Update to patched version. Implement output encoding. Sanitize user input.
Impact:
Admin session compromise. Privilege escalation. Unauthorized admin actions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
