Bagisto Cross-Site Scripting Vulnerability in Customer Creation Feature

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Bagisto version 2.3.7, specifically within the 'Create New Customer' feature in the admin panel. This issue allows an attacker with access to the customer creation form to inject malicious JavaScript into certain input fields. The injected scripts can execute in the context of an admin's browser or another user viewing the customer data, potentially leading to session theft or unauthorized admin actions. The vulnerability arises from inadequate sanitization of input fields, allowing harmful scripts to be stored in the database and executed when customer records are accessed.

Impact

Exploitation of this vulnerability allows for stored XSS, where injected scripts are executed in the context of the user viewing the affected customer records. This could lead to session hijacking, unauthorized actions being performed as an admin, or escalation of privileges.

Reproduction

To reproduce this vulnerability, navigate to the 'Create New Customer' form in the admin panel of Bagisto v2.3.7. Inject a JavaScript payload, such as a script tag or an SVG image with an 'onload' event, into the 'first_name' and 'last_name' fields. Once the customer is created, the injected script will execute when the customer record is viewed.

Remediation

Users can upgrade to Bagisto version 2.3.8, where this vulnerability has been fixed.