CVE-2025-5010
Cross Site Scripting vulnerability in moonlightL hexo-boot 4.3.0
Overview
A problematic cross-site scripting vulnerability has been found in the file /admin/home/index.html of the component Blog Backend in moonlightL hexo-boot 4.3.0. The manipulation of the argument "Description" can initiate the exploit remotely.
Technical Details
The issue exists due to inadequate filtration of user-supplied data in the "Description" argument of the /admin/home/index.html component. This can be exploited to execute arbitrary HTML and script code in a user's browser session.
CVSS Metrics
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: HIGH
- User Interaction: REQUIRED
- Confidentiality Impact: NONE
- Integrity Impact: PARTIAL
- Availability Impact: NONE
- CVSS Base Score: 4.8
Impact
Successful exploitation can enable an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the user’s system by delivering malware, and more.
Recommendations
Protection against the vulnerability can be achieved by validating user input and encoding output to ensure special characters are escaped before being used. Update to a patched version of the software if available.
Threat Metrics
- cvss_score: 4.8
- severity: MEDIUM
- attack_vector: NETWORK
- attack_complexity: LOW