Plattform
laravel
Komponente
bagisto/bagisto
Behoben in
2.3.9
CVE-2025-62414 affects Bagisto, an open-source Laravel eCommerce platform. This vulnerability resides within the “Create New Customer” feature of the admin panel, allowing attackers to inject malicious JavaScript. Successful exploitation could lead to session hijacking, unauthorized access to sensitive data, and even admin-level control. The vulnerability impacts versions of Bagisto up to and including 2.3.7; a patch is available in version 2.3.8.
The XSS vulnerability in Bagisto allows an attacker with access to the admin create-customer form to inject arbitrary JavaScript code. This code can execute within the context of an administrator's browser or any user viewing the customer data. The potential impact is significant. An attacker could steal administrator session cookies, gaining full control over the Bagisto admin panel. They could also modify customer data, inject malicious content onto the storefront, or redirect users to phishing sites. The blast radius extends to all users who can view customer data, and the potential for data exfiltration and system compromise is high. This type of XSS vulnerability is particularly dangerous because it can be exploited to escalate privileges and gain persistent access to the system.
CVE-2025-62414 was published on 2025-10-16. Its severity is currently assessed as Medium (CVSS 6.9). There are no known public exploits or active campaigns targeting this vulnerability at the time of publication. It is not currently listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-62414 is to upgrade Bagisto to version 2.3.8 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and sanitization on the admin create-customer form can help prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Review and restrict access to the admin panel, limiting it to authorized personnel only. After upgrading to 2.3.8, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into the create-customer form and verifying that it does not execute.
Actualice Bagisto a la versión 2.3.8 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS. La actualización se puede realizar a través de Composer, siguiendo la documentación oficial de Bagisto.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Cross-Site Scripting (XSS) vulnerability in Bagisto eCommerce platform versions 2.3.7 and earlier, allowing attackers to inject malicious scripts.
If you are using Bagisto version 2.3.7 or earlier, you are vulnerable to this XSS attack. Upgrade immediately.
Upgrade Bagisto to version 2.3.8 or later to patch the vulnerability. Implement input validation as a temporary workaround if immediate upgrade isn't possible.
Currently, there are no known public exploits or active campaigns targeting CVE-2025-62414, but vigilance is still required.
Refer to the Bagisto security advisories and the NVD entry for CVE-2025-62414 for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.