Bagisto Stored Cross-Site Scripting Vulnerability in Admin Panel Product Creation Path

A stored cross-site scripting vulnerability has been identified in the Bagisto admin panel version 2.3.6, specifically within the product creation process. This vulnerability allows authenticated admin users to upload specially crafted SVG files that contain malicious JavaScript. Once uploaded, the JavaScript can execute in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser, which could be used to hijack sessions, steal data, or perform unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log into the Bagisto admin panel as an authenticated administrator. Navigate to the product creation section and upload a crafted SVG file that includes a JavaScript payload. After modifying the Content-Type header to ensure the file is accepted, the malicious SVG is stored on the server. When the file's URL is accessed, the embedded JavaScript executes in the browser.

Remediation

It is recommended to implement input validation, enforce content-type restrictions, and handle files properly to mitigate this vulnerability. Additionally, file uploads should be limited to trusted formats, and SVG files should be sanitized to remove any potentially harmful content.