Reflected Cross-Site Scripting (XSS) in Bagisto
Bagisto, v2.0.0.
INCIBE has coordinated the publication of a médium severity vulnerability affecting Bagisto, an eCommerce software. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-40675: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The Bagisto team assures that the vulnerability is no longer found in version 2.2.3.
CVE-2025-40675: A Reflected Cross-Site Scripting (XSS) vulnerability has been found in Bagisto v2.0.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the parameter query in /search. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.