CVE-2025-62414

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.8

Description Bagisto version 2.3.7 contains a Cross-Site Scripting (XSS) issue within the “Create New Customer” feature in the admin panel. An attacker who can access the admin create-customer form can inject malicious JavaScript payloads into input fields. These payloads can execute in the context of an admin’s browser or another user viewing the customer data, potentially enabling session theft or unauthorized admin-level actions. The issue arises because input fields are not properly sanitized or escaped when rendering customer data in the admin UI, leading to stored XSS where the malicious script persists in the database and executes when the data is viewed. The vulnerable input fields include first name and last name.

Recommendations Upgrade to Bagisto version 2.3.8 or later to resolve this vulnerability.