Home

Description

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.

PUBLISHED Reserved 2025-12-02 | Published 2025-12-02 | Updated 2025-12-02 | Assigner GitHub_M




HIGH: 7.7CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 2021.04.1, < 2021.10.8
affected

>= 2022.04.1, < 2022.10.9
affected

>= 2023.04.1, < 2023.10.15
affected

>= 2024.04.1, < 2024.10.8
affected

>= 2025.04.1, < 2025.10.2
affected

References

github.com/...apesjs/security/advisories/GHSA-424m-fj2q-g7vg

github.com/...ommit/2214f71ac27cdea25f11c8adf6bb5816db47a042

cve.org (CVE-2025-66468)

nvd.nist.gov (CVE-2025-66468)