CVE-2025-62415
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
Description
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. ### Details The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code. ### PoC Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute. <img width="1605" height="702" alt="image" src="https://github.com/user-attachments/assets/bd9406aa-2380-464f-ac21-32d483639969" /> <img width="1358" height="314" alt="image" src="https://github.com/user-attachments/assets/e5a64a5a-39fb-4fdb-ada9-14c4b9554803" /> ### Impact A aalicious script is stored in HTML file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.
How to fix CVE-2025-62415
To remediate CVE-2025-62415, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.8 or later
Is CVE-2025-62415 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.3.8