Associated Vulnerability
Title:Webkul Software Bagisto 安全漏洞 (CVE-2025-60880)Description:An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
Description
CVE-2025-60880 - Stored Cross-Site Scripting (XSS) in Bagisto Admin Panel
Readme
# CVE-2025-60880: Stored Cross-Site Scripting (XSS) in Bagisto Admin Panel
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
---
## Vulnerability Overview
* **CVE ID**: CVE-2025-60880
* **Type**: Cross Site Scripting (XSS)
* **CVSS Score**: 6.9 (Medium)
* **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
* **Affected Vendor**: Bagisto
* **Affected Product**: Bagisto
* **Affected Version**: v2.3.6
* **Affected Component**: Bagisto Admin Panel (Product Creation Path)
* **Attack Vector**: Remote
* **Authentication**: Admin privileges required
* **Impact**: Code Execution, Session Hijacking, Data Theft
---
## Proof of Concept (PoC)
The vulnerability is exploited when an authenticated administrator uploads a crafted SVG file containing malicious JavaScript.
**Steps to Reproduce:**
1. Log in to the Bagisto Admin Panel as an authenticated administrator.
2. Navigate to the product creation path.
3. Upload a crafted SVG file containing a JavaScript payload.
4. The request is replayed after modifying the Content-Type header.
5. The malicious SVG file is stored on the server.
6. When the file's URL is accessed, the JavaScript executes in the user's browser.
**Example Malicious SVG Payload:**
```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
```
---
## Recommendations
- To mitigate this vulnerability, the following actions are recommended:
- Enforce input validation, content-type enforcement, and proper file handling.
- Restrict file uploads to trusted formats and sanitize SVG files to remove potentially harmful content.
---
## Disclosure Timeline
| Date | Action |
| -------- | -------------------------------- |
| 2025 AUG | Vulnerability Discovered |
| 2025 AUG | Responsible Disclosure |
| 2025 AUG | CVE ID Requested from MITRE |
| 2025 OCT | CVE Assigned, Public Disclousure |
---
## Disclaimer
The information and proof-of-concept (PoC) code provided in this repository are for educational and ethical research purposes only. The author is not responsible for any misuse or damage caused by the information or code provided herein. The user assumes all responsibility for their actions. It is the user's responsibility to ensure they are compliant with all applicable local, state, and federal laws.
File Snapshot
[4.0K] /data/pocs/add48852d75dffe2aa45c957907131d61c4fb4ff
├── [1.0K] LICENSE
└── [2.9K] README.md
1 directory, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →