Cross-Site Scripting Vulnerability in Bagisto eCommerce Platform
CVE-2025-62415

6.9MEDIUM

Key Information:

Vendor: Bagisto
Status: Bagisto
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62415?

In Bagisto version 2.3.7, a security flaw in the TinyMCE image upload feature permits an authenticated user with adequate permissions, such as an admin, to upload a maliciously crafted HTML file that includes embedded JavaScript. This file can be executed in the context of the affected user's browser, potentially leading to unauthorized actions and data exposure. This vulnerability is addressed in version 2.3.8.

Affected Version(s)

bagisto < 2.3.8

References

https://github.com/bagisto/bagisto/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 13, 2025

JSON