CVE-2025-8191
published 2025-07-26CVE-2025-8191: A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file…
PriorityP339medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
1.65%
73.5th percentile
A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| macrozheng | mall | <= 1.0.3 | — |
| macrozheng | mall | — | — |
| macrozheng | mall | — | — |
| macrozheng | mall | — | — |
| macrozheng | mall | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Swagger UI 1.0.3 - Cross-Site Scripting (XSS)
exploitdb·2025-08-03·CVSS 5.1
CVE-2025-8191 [MEDIUM] Swagger UI 1.0.3 - Cross-Site Scripting (XSS)
Swagger UI 1.0.3 - Cross-Site Scripting (XSS)
---
/*
* Author : Byte Reaper
* Telegram : @ByteReaper0
* CVE : CVE-2025-8191
* Title : Swagger UI 1.0.3 - Cross-Site Scripting (XSS)
* Description : CVE-2025-8191, a vulnerability in the Swagger UI service due to poor description parameter filtering, leading to command execution on a remote server.
*
*/
#include
#include
#include
#include "argparse.h"
#include
int portSel = 0;
int portServerSel = 0;
int selectFile = 0;
const char *targetUrl = NULL;
const char *cookies = NULL;
const char *server = NULL;
const char *yourFile = NULL;
const char *payloadFile = "xss.json";
int targetPort = 0;
int yourPort = 0;
int verbose = 0;
int useCookies = 0;
struct Mem
{
char *buffer;
size_t len;
};
void exitAssembly()
{
__asm__ volatile
(
"mov $231, %%r
Nuclei
Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting
nuclei·CVSS 5.1
CVE-2025-8191 [MEDIUM] Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting
Swagger UI >=3.14.1 =3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
Swagger UI versions 3.14.1 through 3.37.x are vulnerable to DOM-based Cross-Site Scripting (XSS) attacks. The vulnerability occurs when processing malicious configuration URLs that contain XSS payloads in the Swagger specification. An attacker can craft a malicious configUrl parameter that, when processed by Swagger UI, executes arbitrary JavaScript code in the victim's browser context.
impact: |
Attackers can craft malicious configUrl or url parameters in Swagger UI that execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover when users access the malicious Swagger documentation.
remediation: |
No writeups or analysis indexed.
2025-07-26
Published