Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated...

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Description

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.

Basic Information

ID CVE-2025-66468

Source GitHub_M

Published Dec 2, 2025 at 18:40

Modified Dec 2, 2025 at 19:25

Affected Product

Vendor aimeos

Product ai-cms-grapesjs

Version >= 2021.04.1, < 2021.10.8

Affected Versions aimeos ai-cms-grapesjs >= 2021.04.1, < 2021.10.8
aimeos ai-cms-grapesjs >= 2022.04.1, < 2022.10.9
aimeos ai-cms-grapesjs >= 2023.04.1, < 2023.10.15
aimeos ai-cms-grapesjs >= 2024.04.1, < 2024.10.8
aimeos ai-cms-grapesjs >= 2025.04.1, < 2025.10.2

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.",
    "published": "2025-12-02T18:40:44.081Z",
    "modified": "2025-12-02T19:25:50.350Z",
    "type": "cve",
    "title": "Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors",
    "source": "GitHub_M",
    "references": "https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg\nhttps://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042",
    "id": "CVE-2025-66468",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "aimeos ai-cms-grapesjs >= 2021.04.1, < 2021.10.8\naimeos ai-cms-grapesjs >= 2022.04.1, < 2022.10.9\naimeos ai-cms-grapesjs >= 2023.04.1, < 2023.10.15\naimeos ai-cms-grapesjs >= 2024.04.1, < 2024.10.8\naimeos ai-cms-grapesjs >= 2025.04.1, < 2025.10.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ai-cms-grapesjs",
    "version": ">= 2021.04.1, < 2021.10.8",
    "vendor": "aimeos",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors_CVE-2025-66468