7.6
CVE-2025-66468
- EPSS 0.23%
- Veröffentlicht 02.12.2025 18:40:44
- Zuletzt bearbeitet 10.03.2026 19:38:23
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginAimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Aimeos ≫ Grapesjs Cms Version >= 2021.04.1 < 2021.10.8
Aimeos ≫ Grapesjs Cms Version >= 2022.04.1 < 2022.10.9
Aimeos ≫ Grapesjs Cms Version >= 2023.04.1 < 2023.10.15
Aimeos ≫ Grapesjs Cms Version >= 2024.04.1 < 2024.10.8
Aimeos ≫ Grapesjs Cms Version >= 2025.04.1 < 2025.10.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.135 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 7.6 | 1 | 6 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg
https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042