CVE-2024-27499: Bagist Cross-site Scripting vulnerability
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.11416%
CWE
Published
3/1/2024
Updated
8/2/2024
KEV Status
No
Technology
PHP
PHPTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| bagisto/bagisto | composer | < 2.1.0 | 2.1.0 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stemmed from two key gaps: 1) The ThemeController's store method lacked proper file validation (added in the patch via 'image|extensions' validation), allowing XSS payloads in PNGs. 2) The ThemeCustomizationRepository's uploadImage method blindly processed uploads with ImageManager, which could fail to properly sanitize malicious files (patched with try-catch and error handling). Together these enabled upload and persistence of XSS payloads that execute when viewed.