CVE-2025-62414Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Bagisto

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-87Improper Neutralization of Alternate XSS SyntaxCWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
CNA6.9
EPSS
0.0%
top 90.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
BagistoWebkul Bagisto
Timeline
PublishedOct 16

Description

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

CVEListV5bagisto/bagisto< 2.3.8
Packagistbagisto/bagisto< 2.3.8
NVDwebkul/bagisto2.3.7

🔴Vulnerability Details

3
CVEList
bagisto - Cross Site Scripting (XSS) in Create New Customer2025-10-16
GHSA
bagisto has Cross Site Scripting (XSS) in Create New Customer2025-10-16
OSV
bagisto has Cross Site Scripting (XSS) in Create New Customer2025-10-16
CVE-2025-62414 — Bagisto vulnerability | cvebase