Aimeos GrapesJS CMS Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Aimeos GrapesJS CMS extension, affecting versions 2021.04.1 prior to 2021.10.8, 2022.04.1 prior to 2022.10.9, 2023.04.1 prior to 2023.10.15, 2024.04.1 prior to 2024.10.8, and 2025.04.1 prior to 2025.10.2. The vulnerability allows malicious editors to inject JavaScript code, which can be executed later, if the standard Content Security Policy is disabled.

Impact

Exploitation of this vulnerability allows for the injection of JavaScript code, leading to a stored cross-site scripting attack, where the injected script is executed in the context of the user.

Remediation

Users can update to Aimeos GrapesJS CMS extension versions 2021.10.8, 2022.10.9, 2023.10.15, 2024.10.8, or 2025.10.2 to address this vulnerability. If the standard Content Security Policy rules are active, an exploit is not possible.