46 matches found
Cross-site Scripting (XSS)
aimeos/ai-cms-grapesjs is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to lack of proper sanitization when Content Security Policy is disabled, which allows an attacker to inject malicious JavaScript through editor content...
CVE-2025-66468
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Polic...
CVE-2025-13827
Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution...
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors
Impact Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. Workaround If the standard CSP rules are active default in production mode, an exploit isn't possible. Credits Lwin Min Oo...
EUVD-2025-200307
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors...
GHSA-424M-FJ2Q-G7VG Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors
Impact Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. Workaround If the standard CSP rules are active default in production mode, an exploit isn't possible. Credits Lwin Min Oo...
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors
Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled...
GHSA-5XW2-57JX-PGJP GrapesJsBuilder File Upload allows all file uploads
Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. Impact If the media folder is not restricted from running files this can lead to a remote code execution...
GrapesJsBuilder File Upload allows all file uploads
Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. Impact If the media folder is not restricted from running files this can lead to a remote code execution...
Cross-site Scripting (XSS)
Overview aimeos/ai-cms-grapesjs is an Aimeos GrapesJS CMS extension Affected versions of this package are vulnerable to Cross-site Scripting XSS via the authenticated editors. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious scripts when the...
CVE-2025-66468
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Polic...
CVE-2025-66468 Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Polic...
CVE-2025-66468 Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Polic...
CVE-2025-66468 Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Polic...
CVE-2025-66468
The CVE-2025-66468 issue concerns the Aimeos GrapesJS CMS extension. Affected versions prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8 allow Javascript injection by authenticated editors resulting in a stored XSS when the standard CSP is disabled. The vulnerability is fixed in ...
CVE-2025-13827
Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution...
CVE-2025-13827
Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution...
CVE-2025-13827 GrapesJsBuilder File Upload allows all file uploads
Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution...
CVE-2025-13827
The CVE-2025-13827 entry concerns GrapesJS Builder in Mautic, where file upload is not restricted by type, allowing arbitrary files to be uploaded. The underlying issue is that the media folder may execute uploaded files, potentially enabling remote code execution (RCE). Affected components are t...
CVE-2025-13827 GrapesJsBuilder File Upload allows all file uploads
Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution...