SB20260425206 - Multiple vulnerabilities in Bagisto

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-62415)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in TinyMCE image upload functionality when processing an uploaded file disguised as a PNG image. A remote privileged user can upload a crafted HTML file renamed with a .png extension to execute arbitrary script in a victim's browser.

User interaction is required to view the uploaded content.

2) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2025-62416)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in a template engine in the product description field when rendering product descriptions through the Blade templating engine. A remote privileged user can inject crafted template expressions to execute arbitrary code.

User interaction is required to preview the page.

3) Improper Neutralization of Formula Elements in a CSV File (CVE-ID: CVE-2025-62417)

The vulnerability allows a remote user to execute arbitrary commands or disclose sensitive information.

The vulnerability exists due to improper neutralization of formula elements in a CSV file in CSV export functionality when processing user-supplied product data for export and the resulting CSV file is opened in spreadsheet software. A remote user can supply a crafted CSV field value to execute arbitrary commands or disclose sensitive information.

User interaction is required to open the crafted CSV file in a spreadsheet application.

4) Improper Neutralization of Alternate XSS Syntax (CVE-ID: CVE-2025-62418)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the TinyMCE image upload functionality when processing a crafted SVG file containing embedded JavaScript. A remote privileged user can upload a crafted SVG file to execute arbitrary script in a victim's browser.

User interaction is required when another user views the uploaded content.

5) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-62414)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in the create new customer feature in the admin panel when rendering customer data in the admin UI. A remote privileged user can inject malicious JavaScript into customer input fields to execute arbitrary script in a victim's browser.

User interaction is required when an admin or another user views the injected customer record.

Remediation

Install update from vendor's website.

References

• https://github.com/bagisto/bagisto/security/advisories/GHSA-67px-r26w-598x
• https://github.com/advisories/GHSA-67px-r26w-598x
• https://github.com/bagisto/bagisto/security/advisories/GHSA-527q-4wqv-g9wj
• https://github.com/advisories/GHSA-527q-4wqv-g9wj
• https://github.com/bagisto/bagisto/security/advisories/GHSA-jqrp-58fv-w8cq
• https://github.com/advisories/GHSA-jqrp-58fv-w8cq
• https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346
• https://github.com/advisories/GHSA-fg89-g389-p346
• https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w
• https://github.com/advisories/GHSA-r9xj-mvqf-jm7w