macrozheng mall CVE-2025-8191
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to inject malicious scripts via the configUrl parameter in the Swagger UI component (/swagger-ui/index.html). Exploitation requires user interaction (clicking a malicious link) and an authenticated session, limiting attack scope to integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure or patched the vulnerability.
Technical ContextAI
The vulnerability exists in the Swagger UI component's handling of the configUrl parameter, which is vulnerable to DOM-based cross-site scripting (CWE-79). Swagger UI is a popular framework for API documentation that dynamically loads configuration from user-supplied URLs. When the configUrl parameter is not properly sanitized before use in the DOM, an attacker can inject arbitrary JavaScript that executes in the victim's browser within the security context of the authenticated session. The vulnerability affects all versions of macrozheng mall up to and including 1.0.3 (CPE: cpe:2.3:a:macrozheng:mall:*:*:*:*:*:*:*:*).
RemediationAI
The vendor has not released a patched version as of the time of analysis. Organizations using macrozheng mall should immediately disable or restrict network access to the Swagger UI endpoint (/swagger-ui/index.html) unless it is strictly required for internal development teams. This can be accomplished by configuring reverse proxy rules (nginx, Apache) to block or require additional authentication for the /swagger-ui path, or by disabling Swagger UI entirely in production environments through application configuration. If Swagger UI must remain accessible, implement strict Content Security Policy (CSP) headers to prevent inline script execution and restrict script sources. Monitor for unauthorized configuration changes to the configUrl parameter via access logs. Additionally, verify that authentication to the application is enforced and that user sessions are properly isolated. Contact the macrozheng team for security updates, though the vendor's historical non-responsiveness suggests community-driven forks or alternative e-commerce solutions may be preferable for production deployments.
Share
External POC / Exploit Code
Leaving vuln.today