CVE-2025-60880
Description
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bagisto 2.3.6 admin panel allows authenticated stored XSS via crafted SVG upload in product creation, risking session hijacking and data theft.
Vulnerability
Overview CVE-2025-60880 is an authenticated stored cross-site scripting (XSS) vulnerability in the Bagisto 2.3.6 admin panel's product creation path. The root cause is insufficient validation of uploaded file validation: the application accepts SVG files containing arbitrary JavaScript without sanitizing or restricting the Content-Type header. An attacker can craft an SVG file that embeds a malicious script, which is then stored on upload becomes stored on the server and later executed in the browser of any user viewing the product description [1][3][4].
Exploitation
Exploitation requires an authenticated admin user to upload the malicious SVG via the product creation interface. The proof-of-concept demonstrates that the attacker can replay the upload request after modifying the Content-Type header to bypass client-side checks. The SVG payload is then stored and served to any visitor accessing the product's image URL, triggering the JavaScript in their browser context [3][4].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the Bagisto admin panel. This can lead to session hijacking, theft of sensitive data (e.g., admin credentials, customer information), or unauthorized actions performed on behalf of the victim admin. The CVSS v3.1 score is 6.9 (Medium), with a vector string of AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N, reflecting the need for admin privileges and user interaction but high confidentiality impact [1][4].
Mitigation
Bagisto has not yet released a patched version as of the publication date. The vendor recommends enforcing input validation, content-type enforcement, and proper file handling. Administrators should restrict file uploads to trusted formats and sanitize SVG files to remove potentially harmful content. Until a fix is expected in a future release [1][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bagisto/bagistoPackagist | >= 2.3.6, < 2.3.7 | 2.3.7 |
Affected products
2- Bagisto/Bagistodescription
Patches
19ec40c99c34achore(deps): bump enshrined/svg-sanitize from 0.16.0 to 0.22.0
2 files changed · +10 −11
composer.json+1 −1 modified@@ -22,7 +22,7 @@ "barryvdh/laravel-dompdf": "^2.0.0", "diglactic/laravel-breadcrumbs": "^9.0", "elasticsearch/elasticsearch": "^8.10", - "enshrined/svg-sanitize": "^0.16.0", + "enshrined/svg-sanitize": "^0.22.0", "guzzlehttp/guzzle": "^7.0.1", "intervention/image": "^2.4", "kalnoy/nestedset": "^6.0",
composer.lock+9 −10 modified@@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "761bd88900c6157305217835f6036cdc", + "content-hash": "dc52a94d30562eb739cf3a489ceecd7c", "packages": [ { "name": "astrotomic/laravel-translatable", @@ -1224,26 +1224,25 @@ }, { "name": "enshrined/svg-sanitize", - "version": "0.16.0", + "version": "0.22.0", "source": { "type": "git", "url": "https://github.com/darylldoyle/svg-sanitizer.git", - "reference": "239e257605e2141265b429e40987b2ee51bba4b4" + "reference": "0afa95ea74be155a7bcd6c6fb60c276c39984500" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/239e257605e2141265b429e40987b2ee51bba4b4", - "reference": "239e257605e2141265b429e40987b2ee51bba4b4", + "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/0afa95ea74be155a7bcd6c6fb60c276c39984500", + "reference": "0afa95ea74be155a7bcd6c6fb60c276c39984500", "shasum": "" }, "require": { "ext-dom": "*", "ext-libxml": "*", - "ezyang/htmlpurifier": "^4.16", - "php": "^5.6 || ^7.0 || ^8.0" + "php": "^7.1 || ^8.0" }, "require-dev": { - "phpunit/phpunit": "^5.7 || ^6.5 || ^8.5" + "phpunit/phpunit": "^6.5 || ^8.5" }, "type": "library", "autoload": { @@ -1264,9 +1263,9 @@ "description": "An SVG sanitizer for PHP", "support": { "issues": "https://github.com/darylldoyle/svg-sanitizer/issues", - "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0.16.0" + "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0.22.0" }, - "time": "2023-03-20T10:51:12+00:00" + "time": "2025-08-12T10:13:48+00:00" }, { "name": "ezyang/htmlpurifier",
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.