CVE-2025-60880
HIGH8.3EPSS 0.01%Bagisto is vulnerable to XSS through Admin Panel's product creation path
發布日:2025/10/10修改日:2025/10/17
描述
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
受影響套件(1)
- Packagist/bagisto/bagisto>= 2.3.6, < 2.3.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.3 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-60880
- PATCHhttps://github.com/bagisto/bagisto
- WEBhttps://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98
- WEBhttps://github.com/bagisto/bagisto/commit/9ec40c99c34a83f311ffbb7c1039a59ff9d655cc
- WEBhttps://github.com/darylldoyle/svg-sanitizer/releases
- WEBhttps://github.com/Shenal01/CVE-2025-60880