5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
26.2%
Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the neos/management/media
component. To make use of this attack vector, the attacker must either be able to upload a maliciously crafted file or coerce someone with the needed access to upload said file to Neos. Even if such a file is uploaded and subsequently delivered, it is possible to use CSP to protect against attacks being executed from such a file.
cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
digi.ninja/blog/svg_xss.php
github.com/neos/neos-development-collection
github.com/neos/neos-development-collection/commit/4ac0df04d2e44e164e95887b466075dde3f04045
github.com/neos/neos-development-collection/issues/4833
github.com/neos/neos-development-collection/pull/4812
github.com/neos/neos-ui/releases/tag/8.3.4
nvd.nist.gov/vuln/detail/CVE-2023-37611
rodelllemit.medium.com/stored-xss-in-neo-cms-8-3-3-9bd1cb973c5b