GHSA-67PX-R26W-598X

Vulnerability from github – Published: 2025-10-16 18:12 – Updated: 2025-10-16 21:54
VLAI?
Summary
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
Details

Summary

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

Details

The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code.

PoC

Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute. image image

Impact

A aalicious script is stored in HTML file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.

Severity ?
6.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T18:12:10Z",
    "nvd_published_at": "2025-10-16T19:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user\u2019s browser.\n\n### Details\nThe application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code.\n\n### PoC\nCreated a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute.\n\u003cimg width=\"1605\" height=\"702\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bd9406aa-2380-464f-ac21-32d483639969\" /\u003e\n\u003cimg width=\"1358\" height=\"314\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e5a64a5a-39fb-4fdb-ada9-14c4b9554803\" /\u003e\n\n### Impact\nA aalicious script is stored in HTML file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.",
  "id": "GHSA-67px-r26w-598x",
  "modified": "2025-10-16T21:54:25Z",
  "published": "2025-10-16T18:12:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62415"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.