GHSA-424m-fj2q-g7vg

Source

https://github.com/advisories/GHSA-424m-fj2q-g7vg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-424m-fj2q-g7vg/GHSA-424m-fj2q-g7vg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-424m-fj2q-g7vg

Aliases

CVE-2025-66468

Published

2025-12-03T14:05:28Z

Modified

2025-12-03T14:27:33.103899Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors

Details

Impact

Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled.

Workaround

If the standard CSP rules are active (default in production mode), an exploit isn't possible.

Credits

Lwin Min Oo lwinminoo2244@gmail.com

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2025-12-03T14:05:28Z",
    "nvd_published_at": "2025-12-02T19:15:53Z"
}

References

Affected packages

Packagist

aimeos/ai-cms-grapesjs

Package

Name: aimeos/ai-cms-grapesjs
Purl: pkg:composer/aimeos/ai-cms-grapesjs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2021.04.1

Fixed

2021.10.8

Affected versions

2021.*

2021.04.1

2021.04.2

2021.04.3

2021.04.4

2021.04.5

2021.04.6

2021.07.1

2021.07.2

2021.07.3

2021.07.4

2021.07.5

2021.07.6

2021.07.7

2021.10.1

2021.10.2

2021.10.3

2021.10.4

2021.10.5

2021.10.6

2021.10.7

aimeos/ai-cms-grapesjs

Package

Name: aimeos/ai-cms-grapesjs
Purl: pkg:composer/aimeos/ai-cms-grapesjs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2022.04.1

Fixed

2022.10.9

Affected versions

2022.*

2022.04.1

2022.04.2

2022.04.3

2022.04.4

2022.07.1

2022.07.2

2022.07.3

2022.10.1

2022.10.2

2022.10.3

2022.10.4

2022.10.5

2022.10.6

2022.10.7

2022.10.8

aimeos/ai-cms-grapesjs

Package

Name: aimeos/ai-cms-grapesjs
Purl: pkg:composer/aimeos/ai-cms-grapesjs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2023.04.1

Fixed

2023.10.15

Affected versions

2023.*

2023.04.1

2023.04.2

2023.07.1

2023.07.2

2023.07.3

2023.07.4

2023.10.1

2023.10.2

2023.10.3

2023.10.4

2023.10.5

2023.10.6

2023.10.7

2023.10.8

2023.10.9

2023.10.10

2023.10.11

2023.10.12

2023.10.13

2023.10.14

aimeos/ai-cms-grapesjs

Package

Name: aimeos/ai-cms-grapesjs
Purl: pkg:composer/aimeos/ai-cms-grapesjs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2024.04.1

Fixed

2024.10.8

Affected versions

2024.*

2024.04.1

2024.04.2

2024.04.3

2024.04.4

2024.04.5

2024.04.6

2024.07.1

2024.07.2

2024.07.3

2024.10.1

2024.10.2

2024.10.3

2024.10.4

2024.10.5

2024.10.6

2024.10.7

aimeos/ai-cms-grapesjs

Package

Name: aimeos/ai-cms-grapesjs
Purl: pkg:composer/aimeos/ai-cms-grapesjs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2025.04.1

Fixed

2025.10.2

Affected versions

2025.*

2025.04.1

2025.04.2

2025.07.1

2025.07.2

2025.10.1