Moderate severityNVD Advisory· Published Oct 16, 2025· Updated Oct 17, 2025
bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG)
CVE-2025-62418
Description
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bagisto/bagistoPackagist | < 2.3.8 | 2.3.8 |
Affected products
1Patches
17b6b1dd639a1fix: refined tinymce
24 files changed · +287 −126
packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php+54 −9 modified@@ -16,22 +16,44 @@ class TinyMCEController extends Controller */ private $storagePath = 'tinymce'; + /** + * Allowed image MIME types. + * + * @var array + */ + private $allowedMimeTypes = [ + 'image/gif', + 'image/jpeg', + 'image/jpg', + 'image/png', + 'image/svg+xml', + 'image/webp', + ]; + /** * Upload file from tinymce. * - * @return void + * @return \Illuminate\Http\JsonResponse */ public function upload() { - $media = $this->storeMedia(); + $result = $this->storeMedia(); - if (! empty($media)) { + if (isset($result['error'])) { return response()->json([ - 'location' => $media['file_url'], + 'error' => $result['error'], + ], 400); + } + + if (! empty($result)) { + return response()->json([ + 'location' => $result['file_url'], ]); } - return response()->json([]); + return response()->json([ + 'error' => trans('admin::app.components.tinymce.errors.file-upload-failed'), + ], 400); } /** @@ -42,16 +64,39 @@ public function upload() public function storeMedia() { if (! request()->hasFile('file')) { - return []; + return ['error' => trans('admin::app.components.tinymce.errors.no-file-uploaded')]; + } + + $file = request()->file('file'); + + $mimeType = $file->getMimeType(); + + if (! in_array($mimeType, $this->allowedMimeTypes)) { + return ['error' => trans('admin::app.components.tinymce.errors.invalid-file-type')]; + } + + $extension = strtolower($file->getClientOriginalExtension()); + + $validExtensions = [ + 'image/jpeg' => ['jpg', 'jpeg'], + 'image/jpg' => ['jpg', 'jpeg'], + 'image/png' => ['png'], + 'image/gif' => ['gif'], + 'image/webp' => ['webp'], + 'image/svg+xml' => ['svg'], + ]; + + if (! isset($validExtensions[$mimeType]) || ! in_array($extension, $validExtensions[$mimeType])) { + return ['error' => trans('admin::app.components.tinymce.errors.file-extension-mismatch')]; } - $path = request()->file('file')->store($this->storagePath); + $path = $file->store($this->storagePath); - $this->sanitizeSVG($path, request()->file('file')->getMimeType()); + $this->sanitizeSVG($path, $mimeType); return [ 'file' => $path, - 'file_name' => request()->file('file')->getClientOriginalName(), + 'file_name' => $file->getClientOriginalName(), 'file_url' => Storage::url($path), ]; }
packages/Webkul/Admin/src/Resources/lang/ar/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'امتداد الملف لا يتطابق مع نوع الملف.', + 'file-upload-failed' => 'فشل تحميل الملف.', + 'http-error' => 'خطأ في HTTP.', + 'invalid-file-type' => 'نوع ملف غير صالح. الأنواع المسموحة: JPEG، PNG، GIF، WebP، SVG', + 'invalid-json' => 'JSON غير صالح.', + 'no-file-uploaded' => 'لم يتم تحميل ملف.', + 'upload-failed' => 'فشل تحميل الصورة بسبب خطأ في نقل XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/bn/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'ফাইল এক্সটেনশন ফাইল প্রকারের সাথে মেলে না।', + 'file-upload-failed' => 'ফাইল আপলোড ব্যর্থ হয়েছে।', + 'http-error' => 'HTTP ত্রুটি।', + 'invalid-file-type' => 'অবৈধ ফাইল প্রকার। অনুমোদিত প্রকার: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'অবৈধ JSON।', + 'no-file-uploaded' => 'কোন ফাইল আপলোড করা হয়নি।', + 'upload-failed' => 'XHR ট্রান্সপোর্ট ত্রুটির কারণে ছবি আপলোড ব্যর্থ হয়েছে।', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/ca/app.php+10 −0 modified@@ -4899,6 +4899,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'L\'extensió del fitxer no coincideix amb el tipus de fitxer.', + 'file-upload-failed' => 'Ha fallat la càrrega del fitxer.', + 'http-error' => 'Error HTTP.', + 'invalid-file-type' => 'Tipus de fitxer no vàlid. Tipus permesos: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'JSON no vàlid.', + 'no-file-uploaded' => 'No s\'ha carregat cap fitxer.', + 'upload-failed' => 'La càrrega de la imatge ha fallat a causa d\'un error de transport XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/de/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'Dateierweiterung stimmt nicht mit dem Dateityp überein.', + 'file-upload-failed' => 'Datei-Upload fehlgeschlagen.', + 'http-error' => 'HTTP-Fehler.', + 'invalid-file-type' => 'Ungültiger Dateityp. Zulässige Typen: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'Ungültiges JSON.', + 'no-file-uploaded' => 'Keine Datei hochgeladen.', + 'upload-failed' => 'Bild-Upload aufgrund eines XHR-Transportfehlers fehlgeschlagen.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/en/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'File extension does not match file type.', + 'file-upload-failed' => 'File upload failed.', + 'http-error' => 'HTTP error.', + 'invalid-file-type' => 'Invalid file type. Allowed types: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'Invalid JSON.', + 'no-file-uploaded' => 'No file uploaded.', + 'upload-failed' => 'Image upload failed due to a XHR Transport error.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/es/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'La extensión del archivo no coincide con el tipo de archivo.', + 'file-upload-failed' => 'Falló la carga del archivo.', + 'http-error' => 'Error HTTP.', + 'invalid-file-type' => 'Tipo de archivo no válido. Tipos permitidos: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'JSON no válido.', + 'no-file-uploaded' => 'No se cargó ningún archivo.', + 'upload-failed' => 'La carga de la imagen falló debido a un error de transporte XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/fa/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'پسوند فایل با نوع فایل مطابقت ندارد.', + 'file-upload-failed' => 'بارگذاری فایل ناموفق بود.', + 'http-error' => 'خطای HTTP.', + 'invalid-file-type' => 'نوع فایل نامعتبر است. انواع مجاز: JPEG، PNG، GIF، WebP، SVG', + 'invalid-json' => 'JSON نامعتبر.', + 'no-file-uploaded' => 'هیچ فایلی بارگذاری نشد.', + 'upload-failed' => 'بارگذاری تصویر به دلیل خطای انتقال XHR ناموفق بود.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/fr/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'L\'extension du fichier ne correspond pas au type de fichier.', + 'file-upload-failed' => 'Échec du téléchargement du fichier.', + 'http-error' => 'Erreur HTTP.', + 'invalid-file-type' => 'Type de fichier non valide. Types autorisés : JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'JSON non valide.', + 'no-file-uploaded' => 'Aucun fichier téléchargé.', + 'upload-failed' => 'Le téléchargement de l\'image a échoué en raison d\'une erreur de transport XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/he/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'סיומת הקובץ אינה תואמת לסוג הקובץ.', + 'file-upload-failed' => 'העלאת הקובץ נכשלה.', + 'http-error' => 'שגיאת HTTP.', + 'invalid-file-type' => 'סוג קובץ לא חוקי. סוגים מותרים: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'JSON לא חוקי.', + 'no-file-uploaded' => 'לא הועלה קובץ.', + 'upload-failed' => 'העלאת התמונה נכשלה עקב שגיאת העברת XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/hi_IN/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'फ़ाइल एक्सटेंशन फ़ाइल प्रकार से मेल नहीं खाता।', + 'file-upload-failed' => 'फ़ाइल अपलोड विफल रहा।', + 'http-error' => 'HTTP त्रुटि।', + 'invalid-file-type' => 'अमान्य फ़ाइल प्रकार। अनुमत प्रकार: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'अमान्य JSON।', + 'no-file-uploaded' => 'कोई फ़ाइल अपलोड नहीं की गई।', + 'upload-failed' => 'XHR ट्रांसपोर्ट त्रुटि के कारण छवि अपलोड विफल रहा।', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/id/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'Ekstensi file tidak cocok dengan jenis file.', + 'file-upload-failed' => 'Unggahan file gagal.', + 'http-error' => 'Kesalahan HTTP.', + 'invalid-file-type' => 'Jenis file tidak valid. Jenis yang diizinkan: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'JSON tidak valid.', + 'no-file-uploaded' => 'Tidak ada file yang diunggah.', + 'upload-failed' => 'Unggahan gambar gagal karena kesalahan transport XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/it/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'L\'estensione del file non corrisponde al tipo di file.', + 'file-upload-failed' => 'Caricamento file non riuscito.', + 'http-error' => 'Errore HTTP.', + 'invalid-file-type' => 'Tipo di file non valido. Tipi consentiti: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'JSON non valido.', + 'no-file-uploaded' => 'Nessun file caricato.', + 'upload-failed' => 'Caricamento immagine non riuscito a causa di un errore di trasporto XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/ja/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'ファイル拡張子がファイルタイプと一致しません。', + 'file-upload-failed' => 'ファイルのアップロードに失敗しました。', + 'http-error' => 'HTTPエラー。', + 'invalid-file-type' => '無効なファイルタイプです。許可されるタイプ: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => '無効なJSON。', + 'no-file-uploaded' => 'ファイルがアップロードされていません。', + 'upload-failed' => 'XHRトランスポートエラーにより画像のアップロードに失敗しました。', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/nl/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'Bestandsextensie komt niet overeen met bestandstype.', + 'file-upload-failed' => 'Bestand uploaden mislukt.', + 'http-error' => 'HTTP-fout.', + 'invalid-file-type' => 'Ongeldig bestandstype. Toegestane types: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'Ongeldige JSON.', + 'no-file-uploaded' => 'Geen bestand geüpload.', + 'upload-failed' => 'Afbeelding uploaden mislukt vanwege een XHR-transportfout.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/pl/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'Rozszerzenie pliku nie pasuje do typu pliku.', + 'file-upload-failed' => 'Przesyłanie pliku nie powiodło się.', + 'http-error' => 'Błąd HTTP.', + 'invalid-file-type' => 'Nieprawidłowy typ pliku. Dozwolone typy: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'Nieprawidłowy JSON.', + 'no-file-uploaded' => 'Nie przesłano pliku.', + 'upload-failed' => 'Przesyłanie obrazu nie powiodło się z powodu błędu transportu XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/pt_BR/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'A extensão do arquivo não corresponde ao tipo de arquivo.', + 'file-upload-failed' => 'Falha no upload do arquivo.', + 'http-error' => 'Erro HTTP.', + 'invalid-file-type' => 'Tipo de arquivo inválido. Tipos permitidos: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'JSON inválido.', + 'no-file-uploaded' => 'Nenhum arquivo enviado.', + 'upload-failed' => 'Falha no upload da imagem devido a um erro de transporte XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/ru/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'Расширение файла не соответствует типу файла.', + 'file-upload-failed' => 'Не удалось загрузить файл.', + 'http-error' => 'Ошибка HTTP.', + 'invalid-file-type' => 'Недопустимый тип файла. Разрешенные типы: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'Недопустимый JSON.', + 'no-file-uploaded' => 'Файл не загружен.', + 'upload-failed' => 'Не удалось загрузить изображение из-за ошибки передачи XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/sin/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'ගොනු දිගුව ගොනු වර්ගයට නොගැලපේ.', + 'file-upload-failed' => 'ගොනු උඩුගත කිරීම අසාර්ථක විය.', + 'http-error' => 'HTTP දෝෂයකි.', + 'invalid-file-type' => 'වලංගු නොවන ගොනු වර්ගයකි. අනුමත වර්ග: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'වලංගු නොවන JSON.', + 'no-file-uploaded' => 'කිසිදු ගොනුවක් උඩුගත කර නැත.', + 'upload-failed' => 'XHR ප්රවාහන දෝෂයක් හේතුවෙන් රූපය උඩුගත කිරීම අසාර්ථක විය.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/tr/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'Dosya uzantısı dosya türüyle eşleşmiyor.', + 'file-upload-failed' => 'Dosya yükleme başarısız oldu.', + 'http-error' => 'HTTP hatası.', + 'invalid-file-type' => 'Geçersiz dosya türü. İzin verilen türler: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'Geçersiz JSON.', + 'no-file-uploaded' => 'Hiçbir dosya yüklenmedi.', + 'upload-failed' => 'XHR aktarım hatası nedeniyle resim yüklenemedi.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/uk/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => 'Розширення файлу не відповідає типу файлу.', + 'file-upload-failed' => 'Не вдалося завантажити файл.', + 'http-error' => 'Помилка HTTP.', + 'invalid-file-type' => 'Недійсний тип файлу. Дозволені типи: JPEG, PNG, GIF, WebP, SVG', + 'invalid-json' => 'Недійсний JSON.', + 'no-file-uploaded' => 'Файл не завантажено.', + 'upload-failed' => 'Не вдалося завантажити зображення через помилку передачі XHR.', + ], ], ],
packages/Webkul/Admin/src/Resources/lang/zh_CN/app.php+10 −0 modified@@ -4900,6 +4900,16 @@ 'vicuna-13b' => 'Vicuna (13b)', 'vicuna-7b' => 'Vicuna (7b)', ], + + 'errors' => [ + 'file-extension-mismatch' => '文件扩展名与文件类型不匹配。', + 'file-upload-failed' => '文件上传失败。', + 'http-error' => 'HTTP错误。', + 'invalid-file-type' => '无效的文件类型。允许的类型:JPEG、PNG、GIF、WebP、SVG', + 'invalid-json' => '无效的JSON。', + 'no-file-uploaded' => '未上传文件。', + 'upload-failed' => '由于XHR传输错误,图片上传失败。', + ], ], ],
packages/Webkul/Admin/src/Resources/views/components/tinymce/index.blade.php+14 −4 modified@@ -331,31 +331,41 @@ class="primary-button" let json; if (xhr.status === 403) { - reject("@lang('admin::app.error.tinymce.http-error')", { + reject("@lang('admin::app.components.tinymce.errors.http-error')", { remove: true }); return; } if (xhr.status < 200 || xhr.status >= 300) { - reject("@lang('admin::app.error.tinymce.http-error')"); + try { + json = JSON.parse(xhr.responseText); + + if (json.error) { + reject(json.error); + } else { + reject("@lang('admin::app.components.tinymce.errors.http-error')"); + } + } catch (e) { + reject("@lang('admin::app.components.tinymce.errors.http-error')"); + } return; } json = JSON.parse(xhr.responseText); if (! json || typeof json.location != 'string') { - reject("@lang('admin::app.error.tinymce.invalid-json')" + xhr.responseText); + reject("@lang('admin::app.components.tinymce.errors.invalid-json')" + xhr.responseText); return; } resolve(json.location); }; - xhr.onerror = (()=>reject("@lang('admin::app.error.tinymce.upload-failed')")); + xhr.onerror = (()=>reject("@lang('admin::app.components.tinymce.errors.upload-failed')")); formData = new FormData(); formData.append('_token', config.csrfToken);
packages/Webkul/Shop/src/Resources/views/components/tinymce/index.blade.php+9 −113 modified@@ -17,7 +17,7 @@ app.component('v-tinymce', { template: '#v-tinymce-template', - props: ['selector', 'field',], + props: ['selector', 'field'], mounted() { this.init(); @@ -31,119 +31,15 @@ methods: { init() { - let self = this; - - let tinyMCEHelper = { - initTinyMCE: function(extraConfiguration) { - let self2 = this; - - let config = { - relative_urls: false, - menubar: false, - remove_script_host: false, - document_base_url: '{{ asset('/') }}', - uploadRoute: '{{ route('admin.tinymce.upload') }}', - csrfToken: '{{ csrf_token() }}', - ...extraConfiguration, - }; - - const image_upload_handler = (blobInfo, progress) => new Promise((resolve, reject) => { - self2.uploadImageHandler(config, blobInfo, resolve, reject, progress); - }); - - tinymce.init({ - ...config, - - file_picker_callback: function(cb, value, meta) { - self2.filePickerCallback(config, cb, value, meta); - }, - - images_upload_handler: image_upload_handler, - }); - }, - - filePickerCallback: function(config, cb, value, meta) { - let input = document.createElement('input'); - input.setAttribute('type', 'file'); - input.setAttribute('accept', 'image/*'); - - input.onchange = function() { - let file = this.files[0]; - - let reader = new FileReader(); - reader.readAsDataURL(file); - reader.onload = function() { - let id = 'blobid' + new Date().getTime(); - let blobCache = tinymce.activeEditor.editorUpload.blobCache; - let base64 = reader.result.split(',')[1]; - let blobInfo = blobCache.create(id, file, base64); - - blobCache.add(blobInfo); - - cb(blobInfo.blobUri(), { - title: file.name - }); - }; - }; - - input.click(); - }, - - uploadImageHandler: function(config, blobInfo, resolve, reject, progress) { - let xhr, formData; - - xhr = new XMLHttpRequest(); - - xhr.withCredentials = false; - - xhr.open('POST', config.uploadRoute); - - xhr.upload.onprogress = ((e) => progress((e.loaded / e.total) * 100)); - - xhr.onload = function() { - let json; - - if (xhr.status === 403) { - reject("@lang('admin::app.error.tinymce.http-error')", { - remove: true - }); - - return; - } - - if (xhr.status < 200 || xhr.status >= 300) { - reject("@lang('admin::app.error.tinymce.http-error')"); - - return; - } - - json = JSON.parse(xhr.responseText); - - if (! json || typeof json.location != 'string') { - reject("@lang('admin::app.error.tinymce.invalid-json')" + xhr.responseText); - - return; - } - - resolve(json.location); - }; - - xhr.onerror = (()=>reject("@lang('admin::app.error.tinymce.upload-failed')")); - - formData = new FormData(); - formData.append('_token', config.csrfToken); - formData.append('file', blobInfo.blob(), blobInfo.filename()); - - xhr.send(formData); - }, - }; - - tinyMCEHelper.initTinyMCE({ + tinymce.init({ selector: this.selector, - plugins: 'image media wordcount save fullscreen code table lists link', - toolbar1: 'formatselect | bold italic strikethrough forecolor backcolor image alignleft aligncenter alignright alignjustify | link hr |numlist bullist outdent indent | removeformat | code | table | aibutton', - image_advtab: true, - directionality : "{{ core()->getCurrentLocale()->direction }}", + relative_urls: false, + menubar: false, + remove_script_host: false, + document_base_url: '{{ asset('/') }}', + plugins: 'wordcount save fullscreen code table lists link', + toolbar1: 'formatselect | bold italic strikethrough forecolor backcolor alignleft aligncenter alignright alignjustify | link hr | numlist bullist outdent indent | removeformat | code | table', + directionality: "{{ core()->getCurrentLocale()->direction }}", setup: editor => { editor.on('keyup', () => this.field.onInput(editor.getContent()));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-fg89-g389-p346ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62418ghsaADVISORY
- github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfabghsaWEB
- github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.