| शीर्षक | bagisto v2.3.15 Cross Site Scripting |
|---|
| विवरण | The Bagisto application is vulnerable to Stored Cross-Site Scripting (Stored XSS) via the Custom Scripts configuration feature.
An authenticated low-privileged administrative user (e.g., a custom role with limited permissions) can inject arbitrary JavaScript code into the Configure → General → Content → Custom Scripts field. The application does not properly sanitize or encode this input before rendering it.
As a result, the injected script is stored and executed automatically in the browser of any user visiting the affected pages.
According to the proof-of-concept, a low-privileged admin user was able to inject the payload:
alert("XSS by haiiii")
After saving the configuration, the payload was executed across all pages, affecting any user accessing the application. |
|---|
| स्रोत | ⚠️ https://drive.google.com/drive/folders/10p6SYcSVyfaaTg_dgItzMJvqixcmKnHR?usp=sharing |
|---|
| उपयोगकर्ता | hai271120 (UID 96497) |
|---|
| सबमिशन | 01/04/2026 04:01 PM (2 महीनों पहले) |
|---|
| संयम | 21/04/2026 02:04 PM (20 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 358436 [Bagisto तक 2.3.15 Custom Scripts क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|