Bagisto Cross-Site Scripting Vulnerability in TinyMCE Image Upload Functionality

A cross-site scripting (XSS) vulnerability has been identified in Bagisto version 2.3.7. The issue arises in the TinyMCE image upload feature, where an attacker with administrative privileges can upload a manipulated HTML file containing embedded JavaScript. Although the application typically blocks HTML file uploads, it inadvertently allows this by converting the file extension from .png to .html if the backend detects HTML or JavaScript content within the .png file. Once uploaded and the file is viewed, the embedded JavaScript executes in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where the uploaded HTML file executes malicious scripts when accessed by users with administrative or editing rights. This could lead to session hijacking, unauthorized actions, or privilege escalation.

Reproduction

To reproduce this vulnerability, upload a file with a .png extension that contains JavaScript code. The backend will convert the file to .html. When the file is opened in a browser, the JavaScript executes, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Bagisto version 2.3.8, where this vulnerability has been fixed.