Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors
Description
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Aimeos GrapesJS CMS lets authenticated editors inject JavaScript when CSP is disabled; patched in versions 2021.10.8+.
Vulnerability
The Aimeos GrapesJS CMS extension, used for building content pages, fails to properly sanitize HTML input from authenticated editors. This allows the injection of malicious JavaScript code, leading to stored cross-site scripting (XSS) [1]. The root cause is the lack of HTML purification before storing content in the database.
Exploitation
To exploit this vulnerability, an attacker must have editor-level access to the CMS. Additionally, the standard Content Security Policy (CSP) must be disabled; if CSP rules are active (default in production mode), the exploit is not possible [4].
Impact
A successful stored XSS attack enables an attacker to execute arbitrary JavaScript in the context of the admin interface when other users view the compromised page. This can lead to data theft, session hijacking, or further compromise of the site.
Mitigation
The issue has been fixed by incorporating the HTMLPurifier library to sanitize all stored HTML content [3]. Patched versions are 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8. Users are advised to upgrade to the latest patched version or ensure CSP is enabled as a workaround [1][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aimeos/ai-cms-grapesjsPackagist | >= 2021.04.1, < 2021.10.8 | 2021.10.8 |
aimeos/ai-cms-grapesjsPackagist | >= 2022.04.1, < 2022.10.9 | 2022.10.9 |
aimeos/ai-cms-grapesjsPackagist | >= 2023.04.1, < 2023.10.15 | 2023.10.15 |
aimeos/ai-cms-grapesjsPackagist | >= 2024.04.1, < 2024.10.8 | 2024.10.8 |
aimeos/ai-cms-grapesjsPackagist | >= 2025.04.1, < 2025.10.2 | 2025.10.2 |
Affected products
2- aimeos/ai-cms-grapesjsv5Range: >= 2021.04.1, < 2021.10.8
Patches
12214f71ac27cSanitize stored HTML to prevent XSS
2 files changed · +8 −1
composer.json+1 −0 modified@@ -8,6 +8,7 @@ "minimum-stability": "dev", "require": { "php": "^8.0.11", + "ezyang/htmlpurifier": "^4.19", "aimeos/aimeos-core": "dev-master", "aimeos/ai-admin-jqadm": "dev-master", "aimeos/ai-admin-jsonadm": "dev-master",
src/Admin/JQAdm/Cms/Content/Standard.php+7 −1 modified@@ -318,10 +318,16 @@ protected function fromArray( \Aimeos\MShop\Cms\Item\Iface $item, array $data ) foreach( $data as $idx => $entry ) { - if( trim( $this->val( $entry, 'text.content', '' ) ) === '' ) { + if( !( $content = trim( $this->val( $entry, 'text.content', '' ) ) ) ) { continue; } + $config = \HTMLPurifier_Config::createDefault(); + $config->set( 'Attr.AllowedFrameTargets', ['_blank', '_self'] ); + + $purifier = new \HTMLPurifier( $config ); + $entry['text.content'] = $purifier->purify( $content ); + $id = $this->val( $entry, 'text.id', '' ); $type = $this->val( $entry, 'cms.lists.type', 'default' );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-424m-fj2q-g7vgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66468ghsaADVISORY
- github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042ghsax_refsource_MISCWEB
- github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.