{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-62414", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-13T16:26:12.179Z", "datePublished": "2025-10-16T18:33:03.900Z", "dateUpdated": "2025-10-17T14:31:54.961Z"}, "containers": {"cna": {"title": "bagisto - Cross Site Scripting (XSS) in Create New Customer", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-87", "lang": "en", "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w"}], "affected": [{"vendor": "bagisto", "product": "bagisto", "versions": [{"version": "< 2.3.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-16T18:33:03.900Z"}, "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the \u201cCreate New Customer\u201d feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin\u2019s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8."}], "source": {"advisory": "GHSA-r9xj-mvqf-jm7w", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-17T14:31:52.227750Z", "id": "CVE-2025-62414", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T14:31:54.961Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "bagisto - Cross Site Scripting (XSS) in Create New Customer", "source": {"advisory": "GHSA-r9xj-mvqf-jm7w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bagisto", "product": "bagisto", "versions": [{"status": "affected", "version": "< 2.3.8"}]}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w", "name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the \u201cCreate New Customer\u201d feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin\u2019s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-87", "description": "CWE-87: Improper Neutralization of Alternate XSS Syntax"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-16T18:33:03.900Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62414", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-17T14:31:52.227750Z"}}}], "references": [{"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-10-17T14:31:46.672Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-62414", "state": "PUBLISHED", "dateUpdated": "2025-10-16T18:33:03.900Z", "dateReserved": "2025-10-13T16:26:12.179Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-10-16T18:33:03.900Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "991C244A-9DC2-431C-8ABC-BCF3AE81AD09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the \u201cCreate New Customer\u201d feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin\u2019s browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8."}], "id": "CVE-2025-62414", "lastModified": "2025-10-22T17:21:50.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-10-16T19:15:34.170", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-r9xj-mvqf-jm7w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-87"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}