Login Sign Up

CVE-2025-51488

4.9 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored XSS vulnerability in MoonShine versions before 3.12.4 allows attackers to inject malicious JavaScript into the Name parameter when creating Admin accounts. This affects all MoonShine deployments using vulnerable versions, potentially compromising admin sessions and data.

💻 Affected Systems

Products:
  • MoonShine
Versions: All versions < 3.12.4
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the admin creation functionality; any MoonShine instance with admin creation enabled is affected.

📦 What is this software?

Moonshine by Moonshine

View all CVEs affecting Moonshine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform actions as administrators, exfiltrate sensitive data, or deploy malware to admin browsers.

🟠

Likely Case

Session hijacking leading to unauthorized admin access, data theft, or defacement of admin interfaces.

🟢

If Mitigated

Limited to admin interface disruption if input validation and output encoding are properly implemented elsewhere.

🌐 Internet-Facing: HIGH - Publicly accessible admin interfaces allow remote exploitation without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires creating an admin account with malicious payload; proof-of-concept code is available in the referenced GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12.4

Vendor Advisory: https://github.com/moonshine-software/moonshine

Restart Required: No

Instructions:

1. Update MoonShine to version 3.12.4 or later via composer: composer update moonshine/moonshine. 2. Clear application cache if applicable. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject HTML/JavaScript in the Name parameter during admin creation.

Output Encoding

all

Ensure all user-controlled data displayed in admin interfaces is properly HTML-encoded.

🧯 If You Can't Patch

  • Disable admin creation functionality or restrict it to trusted users only.
  • Implement a Web Application Firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check MoonShine version in composer.json or via composer show moonshine/moonshine.

Check Version:

composer show moonshine/moonshine | grep version

Verify Fix Applied:

Verify version is 3.12.4 or higher and test admin creation with XSS payloads to ensure they are sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin creation events with long or script-like names
  • Failed XSS attempts in web server logs

Network Indicators:

  • HTTP POST requests to admin creation endpoints containing JavaScript payloads

SIEM Query:

source="web_logs" AND (uri_path="/admin/create" OR uri_path LIKE "%/admin%") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-51488
CVSS v3 Score: 4.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-79
EPSS Score: 0.09% exploit probability (25th percentile)
Published: August 19, 2025
Last Updated: August 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-51488, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)