Reflected Cross-Site Scripting (XSS) in Bagisto

Posted date 09/06/2025
Identificador
INCIBE-2025-0299
Importance
3 - Medium
Affected Resources

Bagisto, v2.0.0.

Description

INCIBE has coordinated the publication of a médium severity vulnerability affecting Bagisto, an eCommerce software. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40675: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

The Bagisto team assures that the vulnerability is no longer found in version 2.2.3.

Detail

CVE-2025-40675: A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter query in /search. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

References list