Listen to this Post
How the CVE Works:
CVE-2025-1114 is a stored XSS vulnerability in newbee-mall 1.0 affecting the `/admin/categories/save` endpoint. The `categoryName` parameter lacks input sanitization, allowing attackers to inject malicious JavaScript payloads. When an admin views the manipulated category, the script executes in their browser, potentially leading to session hijacking or unauthorized actions. The attack is remote, requiring only low-privilege access (PR:L). The CVSS 4.0 vector (AV:N/AC:L/UI:P) confirms network-based exploitation with low complexity.
DailyCVE Form:
Platform: newbee-mall
Version: 1.0
Vulnerability: Stored XSS
Severity: Medium
Date: 06/20/2025
Prediction: Patch by 08/2025
What Undercode Say:
curl -X POST -d "categoryName=<script>alert('XSS')</script>" http://target/admin/categories/save
payload = "<img src=x onerror=stealCookies()>"
requests.post(target_url, data={"categoryName": payload})
How Exploit:
1. Craft malicious `categoryName` payload.
2. Submit via `/admin/categories/save`.
3. Admin triggers execution on page load.
Protection from this CVE:
- Input sanitization (HTML/JS escaping).
- CSP headers enforcement.
- Admin session hardening.
Impact:
- Session hijacking.
- Admin privilege escalation.
- Data exfiltration.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
