CVE-2025-61417

Vulnerability

Overview

CVE-2025-61417 is a stored cross-site scripting (XSS) vulnerability in TastyIgniter 3.7.7, specifically within the /admin/media_manager component. The root component. The root cause is the lack of proper sanitization of uploaded SVG files, which can contain arbitrary JavaScript. When an administrator previews such a file in the media manager interface, the embedded script executes in the context of the admin's browser session [1][2].

Exploitation

Prerequisites and Attack Vector

An attacker must first have the ability to upload files to the media manager, which typically requires an authenticated account with upload privileges. The attack is remote and does not require user interaction beyond the administrator previewing the malicious file. The provided proof-of-concept demonstrates a crafted SVG that, upon preview, sends an authenticated PATCH request to /admin/staffs/account with headers such as X-Requested-With and X-IGNITER-REQUEST-HANDLER, effectively modifying the admin account's credentials [2].

Impact

Successful exploitation allows the attacker to change the administrator's username, email, and password, resulting in full administrative account takeover. Given the high privileges of an admin account, this can lead to complete compromise of the TastyIgniter application, including access to customer data, order management, and system configuration. The CVSS v3.1 base score is 8.8 (High) with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [2].

Mitigation

Status

As of the publication date, TastyIgniter 3.7.7 is the affected version. The vendor's GitHub repository indicates that security vulnerabilities can be reported via email, but no official patch or advisory has been released yet [3]. Users are advised to restrict upload permissions to trusted administrators only, avoid previewing untrusted SVG files, and monitor for updates from the vendor.