GHSA-424M-FJ2Q-G7VG
Vulnerability from github – Published: 2025-12-03 14:05 – Updated: 2025-12-03 14:05
VLAI?
Summary
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors
Details
Impact
Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled.
Workaround
If the standard CSP rules are active (default in production mode), an exploit isn't possible.
Credits
Lwin Min Oo lwinminoo2244@gmail.com
Severity ?
7.6 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-cms-grapesjs"
},
"ranges": [
{
"events": [
{
"introduced": "2021.04.1"
},
{
"fixed": "2021.10.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-cms-grapesjs"
},
"ranges": [
{
"events": [
{
"introduced": "2022.04.1"
},
{
"fixed": "2022.10.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-cms-grapesjs"
},
"ranges": [
{
"events": [
{
"introduced": "2023.04.1"
},
{
"fixed": "2023.10.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-cms-grapesjs"
},
"ranges": [
{
"events": [
{
"introduced": "2024.04.1"
},
{
"fixed": "2024.10.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-cms-grapesjs"
},
"ranges": [
{
"events": [
{
"introduced": "2025.04.1"
},
{
"fixed": "2025.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66468"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-03T14:05:28Z",
"nvd_published_at": "2025-12-02T19:15:53Z",
"severity": "HIGH"
},
"details": "### Impact\n\nJavascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled.\n\n### Workaround\n\nIf the standard CSP rules are active (default in production mode), an exploit isn\u0027t possible.\n\n### Credits\n\nLwin Min Oo \u003clwinminoo2244@gmail.com\u003e",
"id": "GHSA-424m-fj2q-g7vg",
"modified": "2025-12-03T14:05:28Z",
"published": "2025-12-03T14:05:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66468"
},
{
"type": "WEB",
"url": "https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042"
},
{
"type": "PACKAGE",
"url": "https://github.com/aimeos/ai-cms-grapesjs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Aimeos GrapesJS CMS extension has possible stored XSS that\u0027s exploitable by authenticated editors"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…