GHSA-fg89-g389-p346

Source

https://github.com/advisories/GHSA-fg89-g389-p346

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-fg89-g389-p346/GHSA-fg89-g389-p346.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fg89-g389-p346

Aliases

CVE-2025-62418

Published

2025-10-16T20:41:03Z

Modified

2025-10-16T21:57:55.719472Z

Severity

6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

Details

Summary

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

Details

The underlying problem is that SVG is XML/markup, so when it is uploaded and then directly rendered or embedded, script or event handlers within are allowed to run unless sanitized. In Bagisto, the integration of TinyMCE’s image upload (or media manager) may accept SVG files without sanitizing or rejecting unsafe content. When the SVG is later included (inline or via object/embed) in content displayed in admin or UI, the browser may execute the script portion of the SVG. The application might not validate the file content (i.e. inspect the SVG XML) or strip <script>, onload, onclick, foreignObject, xlink:href injection, objects/embed tags, etc.

PoC

Navigate to any forms with TinyMCE editor. Attempt to upload a SVG file with embedded JavaScript. <img width="1580" height="795" alt="image" src="https://github.com/user-attachments/assets/17df21a4-bfcd-4c51-a963-68f68241fd2e" /> JavaScript was triggered. <img width="1402" height="409" alt="image" src="https://github.com/user-attachments/assets/d0e326c3-6f23-449d-8f90-1e1032818d80" />

Impact

Malicious script is stored in SVG file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-10-16T19:15:34Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-80",
        "CWE-87"
    ],
    "github_reviewed_at": "2025-10-16T20:41:03Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / bagisto/bagisto

Package

Name: bagisto/bagisto
Purl: pkg:composer/bagisto/bagisto

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.8

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4-BETA1

v0.1.4-BETA2

v0.1.4-BETA3

v0.1.4-BETA4

v0.1.4

v0.1.5

v0.1.6-ALPHA1

v0.1.6

v0.1.7-BETA1

v0.1.7-BETA2

v0.1.7

v0.1.8

v0.1.9-BETA1

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v1.*

v1.0.0-BETA1

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.2.0-BETA1

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v1.5.1

v2.*

v2.0.0-BETA-1

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.2.10

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-fg89-g389-p346/GHSA-fg89-g389-p346.json"

last_known_affected_version_range

"<= 2.3.7"