CVE-2025-62418: bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
6.9
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| bagisto/bagisto | composer | <= 2.3.7 | 2.3.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a stored Cross-Site Scripting (XSS) issue in the TinyMCE editor's image upload functionality. An authenticated attacker could upload a crafted SVG file with embedded JavaScript. The root cause was the lack of server-side validation on the uploaded file type.
The analysis of the fixing commit 7b6b1dd639a14e7053bb82ef2f971c1f533fdfab points to the packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php file as the location of the vulnerability.
The upload() method in this controller acts as the entry point for the file upload. It calls the storeMedia() method, which contains the core logic for processing and saving the file. Prior to the patch, the storeMedia() function did not properly validate the MIME type or file extension of the uploaded file, directly storing it on the server. This allowed an attacker to upload a malicious SVG file disguised as an image.
The patch introduces strict checks within storeMedia() to validate the file's MIME type against an allowlist and ensure the file extension matches the MIME type. Because the exploit is triggered by uploading a file through the endpoint handled by upload(), which in turn uses storeMedia() to process the file, both functions would appear in a runtime profile during exploitation.
Vulnerable functions
Webkul\Admin\Http\Controllers\TinyMCEController::uploadpackages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php
Webkul\Admin\Http\Controllers\TinyMCEController::storeMediapackages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php