CVE-2025-62415
published 2025-10-16CVE-2025-62415: Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges…
PriorityP423medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.26%
16.7th percentile
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bagisto | bagisto | < 2.3.8 | 2.3.8 |
| bagisto | bagisto | >= 0 < 2.3.8 | 2.3.8 |
| webkul | bagisto | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
ghsa·2025-10-16
CVE-2025-62415 [MEDIUM] CWE-79 bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
### Summary
In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.
### Details
The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code.
### PoC
Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, t
OSV
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
osv·2025-10-16
CVE-2025-62415 [MEDIUM] bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
### Summary
In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.
### Details
The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code.
### PoC
Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-16
Published