CVE-2025-62415
MEDIUM6.9EPSS 0.04%bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
Description
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. ### Details The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code. ### PoC Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute. <img width="1605" height="702" alt="image" src="https://github.com/user-attachments/assets/bd9406aa-2380-464f-ac21-32d483639969" /> <img width="1358" height="314" alt="image" src="https://github.com/user-attachments/assets/e5a64a5a-39fb-4fdb-ada9-14c4b9554803" /> ### Impact A aalicious script is stored in HTML file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.
Affected packages (1)
- Packagist/bagisto/bagistofrom 0, < 2.3.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N |