CVE-2025-62415Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Bagisto

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-87Improper Neutralization of Alternate XSS SyntaxCWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
CNA6.9
EPSS
0.0%
top 90.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
BagistoWebkul Bagisto
Timeline
PublishedOct 16

Description

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

CVEListV5bagisto/bagisto< 2.3.8
Packagistbagisto/bagisto< 2.3.8
NVDwebkul/bagisto2.3.7

🔴Vulnerability Details

3
GHSA
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)2025-10-16
OSV
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)2025-10-16
CVEList
bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)2025-10-16
CVE-2025-62415 — Bagisto vulnerability | cvebase