Bagisto Stored Cross-Site Scripting Vulnerability in CMS Page Editor

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Bagisto versions prior to 2.3.10, within the CMS page editor. The platform's attempt to sanitize `<script>` tags can be bypassed by manipulating the raw HTTP POST request before submission. This allows arbitrary JavaScript to be stored in the CMS content and executed whenever the page is viewed or edited, posing a significant risk to administrators, including complete account takeover and backend hijacking.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected JavaScript is executed in the context of the user viewing the page, potentially leading to administrative account takeover and unauthorized actions being performed with admin privileges.

Reproduction

To reproduce this vulnerability, log into a Bagisto 2.3.8 installation as an admin. Navigate to the CMS page editor and intercept the HTTP request using a proxy tool. Modify the `html_content` field to include unfiltered JavaScript, bypassing the UI-level sanitization. Once the request is submitted, the injected script will be executed when the page is viewed or edited.

Remediation

Users are advised to update to Bagisto version 2.3.10, which addresses this vulnerability.