CVE-2025-8191
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-26
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2025-07-26
EPSS Evaluated
2026-05-25
NVD
CVE-2025-8191
EUVD
EUVD-2025-22797
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
macrozheng mall to 1.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8191 is a DOM-based Cross-Site Scripting (XSS) vulnerability found in macrozheng mall versions up to 1.0.3, specifically in the Swagger UI component at /swagger-ui/index.html. The vulnerability arises from improper handling of the 'configUrl' parameter, which allows attackers to inject malicious scripts that execute in the victim's browser. This can be exploited remotely and requires user interaction. The issue is due to insufficient input neutralization before outputting to the web page, classified under CWE-79. [1, 2]


How can this vulnerability impact me? :

This vulnerability can allow attackers to execute malicious scripts in the context of a victim's browser, potentially leading to unauthorized actions or exposure of sensitive data. Since the Swagger UI interface is improperly access-controlled, attackers can remotely exploit this vulnerability to perform cross-site scripting attacks, which may compromise data integrity and user security. The exploit is publicly available and easy to execute, increasing the risk of exploitation. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by searching for the presence of the vulnerable Swagger UI component, specifically the /swagger-ui/index.html path. One suggested method is using Google dorking with the query 'inurl:swagger-ui/index.html' to identify exposed instances. Additionally, inspecting the web application for the 'configUrl' parameter in the Swagger UI and testing for DOM-based XSS by injecting benign scripts into this parameter can help detect the vulnerability. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include replacing the affected Swagger UI component with an alternative product or version that is not vulnerable, as no official vendor mitigations or patches are available. Restricting access to the /swagger-ui/index.html interface through network controls or authentication can reduce exposure. Avoid using the vulnerable versions 1.0.0 through 1.0.3 of macrozheng mall until a fix is available. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart