CVE-2025-62418 - Vulnerability Details - OpenCVE

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-fg89-g389-p346	bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346

History

Fri, 17 Oct 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Oct 2025 18:45:00 +0000

Type	Values Removed	Values Added
Description		Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.
Title		bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG)
Weaknesses		CWE-80 CWE-87
References		https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346
Metrics		cvssV3_1 `{'score': 6.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-10-16T18:35:06.105Z

Updated: 2025-10-17T14:31:21.920Z

Reserved: 2025-10-13T16:26:12.179Z

Link: CVE-2025-62418

Vulnrichment

Updated: 2025-10-17T14:31:10.820Z

NVD

Status : Received

Published: 2025-10-16T19:15:34.803

Modified: 2025-10-17T15:15:40.063

Link: CVE-2025-62418

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-62418", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-13T16:26:12.179Z", "datePublished": "2025-10-16T18:35:06.105Z", "dateUpdated": "2025-10-17T14:31:21.920Z"}, "containers": {"cna": {"title": "bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG)", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-87", "lang": "en", "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346"}], "affected": [{"vendor": "bagisto", "product": "bagisto", "versions": [{"version": "< 2.3.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-16T18:35:06.105Z"}, "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user\u2019s browser. This vulnerability is fixed in 2.3.8."}], "source": {"advisory": "GHSA-fg89-g389-p346", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-17T14:31:17.545230Z", "id": "CVE-2025-62418", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T14:31:21.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62418", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-17T14:31:17.545230Z"}}}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T14:31:10.820Z"}}], "cna": {"title": "bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG)", "source": {"advisory": "GHSA-fg89-g389-p346", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bagisto", "product": "bagisto", "versions": [{"status": "affected", "version": "< 2.3.8"}]}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346", "name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user\u2019s browser. This vulnerability is fixed in 2.3.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-87", "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-16T18:35:06.105Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62418", "state": "PUBLISHED", "dateUpdated": "2025-10-17T14:31:21.920Z", "dateReserved": "2025-10-13T16:26:12.179Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-10-16T18:35:06.105Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}