CVE-2023-36236

low-risk
Published 2024-01-16

Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Webkul

References (6)

Product https://bagisto.com/en/
Exploit https://github.com/Ek-Saini/security/blob/main/XSS_via_fileupload-bagisto
Patch https://github.com/bagisto/bagisto/pull/4764/commits/7bbf0c4bb565fc2601f031f9bbc...
Product https://bagisto.com/en/
Exploit https://github.com/Ek-Saini/security/blob/main/XSS_via_fileupload-bagisto
Patch https://github.com/bagisto/bagisto/pull/4764/commits/7bbf0c4bb565fc2601f031f9bbc...
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal