Advisories for Composer/Bagisto/Bagisto package

SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations.

Vulnerable Code File: packages/Ibkul/Installer/src/Routes/Ib.php <?php use Illuminate\Session\Middleware\StartSession; use Illuminate\Support\Facades\Route; use Ibkul\Installer\Http\Controllers\InstallerController; Route::middleware(['Ib', 'installer_locale'])-&gt;group(function () { Route::controller(InstallerController::class)-&gt;group(function () { Route::get('install', 'index')-&gt;name('installer.index'); Route::middleware(StartSession::class)-&gt;prefix('install/api')-&gt;group(function () { Route::post('env-file-setup', 'envFileSetup')-&gt;name('installer.env_file_setup'); Route::post('run-migration', 'runMigration')-&gt;name('installer.run_migration')-&gt;withoutMiddleware('Ib'); Route::post('run-seeder', 'runSeeder')-&gt;name('installer.run_seeder')-&gt;withoutMiddleware('Ib'); Route::get('download-sample', 'downloadSample')-&gt;name('installer.download_sample')-&gt;withoutMiddleware('Ib'); Route::post('admin-config-setup', 'adminConfigSetup')-&gt;name('installer.admin_config_setup')-&gt;withoutMiddleware('Ib'); Route::post('sample-products-setup', 'createSampleProducts')-&gt;name('installer.sample_products_setup')-&gt;withoutMiddleware('Ib'); }); }); }); API routes remain active even after initial installation is complete, allowing any unauthenticated attacker to: Create admin accounts Modify application configuration Potentially overwrite existing data the underlying API endpoints (/install/api/*) are directly …

SSTI is possible via first name and last name parameters provided by lowest-privileged users.

SSTI when normal customer orders any product in add address step can inject value run in admin view.

An Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud.

A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize <script> tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, …

Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server.

When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to …

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions.

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter.

Bagisto is vulnerable to cross-site scripting (XSS) via png file upload vulnerability in product review option.

Cross Site Request Forgery vulnerability in Bagisto before v.1.3.2 allows an attacker to execute arbitrary code via a crafted HTML script.

Cross Site Scripting vulnerability in webkil Bagisto v1.3.1 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad.

Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).

In Webkul Bagisto, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.

Bagisto allows CSRF under /admin URIs.