Description
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected products
- aimeos / ai-cms-grapesjs>= 2021.04.1, < 2021.10.8 – >= 2021.04.1, < 2021.10.8
- aimeos / ai-cms-grapesjs>= 2022.04.1, < 2022.10.9 – >= 2022.04.1, < 2022.10.9
- aimeos / ai-cms-grapesjs>= 2023.04.1, < 2023.10.15 – >= 2023.04.1, < 2023.10.15
- aimeos / ai-cms-grapesjs>= 2024.04.1, < 2024.10.8 – >= 2024.04.1, < 2024.10.8
- aimeos / ai-cms-grapesjs>= 2025.04.1, < 2025.10.2 – >= 2025.04.1, < 2025.10.2