Bagisto Cross-Site Scripting Vulnerability in TinyMCE Image Upload

A cross-site scripting vulnerability has been identified in Bagisto version 2.3.7. The issue arises in the TinyMCE image upload feature, which allows an attacker with admin privileges to upload a specially crafted SVG file containing embedded JavaScript. When this file is viewed, the malicious script executes in the context of the user's browser. The vulnerability exists because the application does not properly sanitize SVG files before rendering them, allowing scripts to run unchecked.

Impact

Exploitation of this vulnerability allows for the execution of malicious scripts in the context of the admin or user viewing the content, potentially leading to session hijacking, unauthorized actions, or privilege escalation.

Reproduction

To reproduce this vulnerability, navigate to any form that includes the TinyMCE editor. Attempt to upload an SVG file that has embedded JavaScript. Once uploaded, the JavaScript will be executed when the content is viewed.

Remediation

Users can upgrade to Bagisto version 2.3.8, where this vulnerability has been fixed.