Plataforma
laravel
Componente
bagisto/bagisto
Corrigido em
2.3.9
CVE-2025-62418 affects Bagisto, an open-source Laravel eCommerce platform. This vulnerability arises from the image upload functionality within the TinyMCE editor, where an attacker with administrative privileges can upload a crafted SVG file containing embedded JavaScript. Upon viewing the uploaded image, the malicious JavaScript code executes within the context of the admin or user's browser, potentially leading to session hijacking or data theft. The vulnerability is resolved in version 2.3.8.
The primary impact of CVE-2025-62418 is the potential for Cross-Site Scripting (XSS). An attacker can leverage this vulnerability to inject malicious JavaScript code into the Bagisto platform. This code can then be executed in the browsers of administrators and other users with sufficient privileges. Successful exploitation could allow an attacker to steal session cookies, redirect users to phishing sites, deface the website, or even gain unauthorized access to sensitive data stored within the Bagisto system. The blast radius extends to any user who views the malicious image, making it a significant security concern, particularly for platforms with a large user base and sensitive customer data. While the vulnerability requires administrative privileges to initially upload the malicious SVG, the subsequent impact can affect a wide range of users.
CVE-2025-62418 was published on 2025-10-16. The vulnerability's severity is currently assessed as MEDIUM (CVSS 6.9). There are no known public exploits or active campaigns targeting this vulnerability at the time of publication. It is not currently listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Status do Exploit
EPSS
0.03% (percentil 8%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-62418 is to immediately upgrade Bagisto to version 2.3.8 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Strictly validate all file uploads, particularly SVG files, to ensure they do not contain embedded JavaScript. Implement a Web Application Firewall (WAF) with rules to block the upload of SVG files containing JavaScript or other potentially malicious code. Consider using a content security policy (CSP) to restrict the execution of inline scripts and control the sources from which scripts can be loaded. Monitor Bagisto logs for suspicious file upload activity and unusual JavaScript execution patterns. After upgrading to 2.3.8, verify the fix by attempting to upload a test SVG file containing a simple JavaScript alert and confirming that it is blocked or sanitized.
Actualice Bagisto a la versión 2.3.8 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) en la funcionalidad de carga de imágenes TinyMCE. La actualización evitará que atacantes ejecuten código malicioso en el contexto del navegador de los administradores/usuarios.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
It's an XSS vulnerability in Bagisto eCommerce platform versions up to 2.3.8, allowing malicious SVG uploads to execute JavaScript in users' browsers.
If you are using Bagisto version 2.3.8 or earlier, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading.
Upgrade Bagisto to version 2.3.8 or later. Implement strict SVG upload validation and consider a WAF as temporary mitigations.
Currently, there are no known public exploits or active campaigns targeting CVE-2025-62418, but vigilance is still advised.
Refer to the official Bagisto security advisories and the NVD entry for CVE-2025-62418 for detailed information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo composer.lock e descubra na hora se você está afetado.