exploitDog

CVE-2025-60880

Опубликовано: 10 окт. 2025

Источник: nvd

CVSS3: 8.3

EPSS Низкий

Описание

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

Ссылки

https://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98
Exploit
Third Party Advisory
https://github.com/Shenal01/CVE-2025-60880
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:webkul:bagisto:2.3.6:*:*:*:*:*:*:*

EPSS

Процентиль: 5%

0.00021

Низкий

8.3 High

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-29mf-w486-v3vc

CVSS3: 8.3

github

4 месяца назад

Bagisto is vulnerable to XSS through Admin Panel's product creation path

EPSS

Процентиль: 5%

0.00021

Низкий

8.3 High

CVSS3

Дефекты

CWE-79