Lucene search
+L

445 matches found

RedhatCVE
RedhatCVE
added 2025/05/23 6:22 a.m.8 views

CVE-2024-55451

A Stored Cross-Site Scripting XSS vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend...

4.8CVSS5.6AI score0.00312EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 6:18 a.m.11 views

CVE-2024-6581

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitizesvg function, this can lead to cross-site scripting XSS vulnerabilities, which in turn pose a risk of remote code...

9CVSS6.1AI score0.00595EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:4 a.m.11 views

CVE-2023-36236

Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad...

4.8CVSS7.1AI score0.0061EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/23 4:31 a.m.20 views

CVE-2023-5458

The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads...

5.4CVSS5.9AI score0.0039EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:3 a.m.5 views

CVE-2023-37611

Cross Site Scripting XSS vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file to the neos/management/media component...

5.4CVSS6AI score0.00626EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/23 1:2 a.m.9 views

CVE-2022-37161

Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting XSS via SVG file upload...

6.1CVSS6.1AI score0.0055EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 9:35 p.m.8 views

CVE-2021-43842

Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute...

5.4CVSS6.3AI score0.0072EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 9:23 p.m.9 views

CVE-2021-29460

Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like...

7.6CVSS6.8AI score0.03174EPSS
Exploits4References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:27 p.m.10 views

CVE-2021-25978

Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed...

5.4CVSS5.8AI score0.00483EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 7:24 p.m.10 views

CVE-2021-24960

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks...

5.4CVSS6.2AI score0.0077EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:21 p.m.8 views

CVE-2021-24362

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will b...

6.1CVSS5.8AI score0.00827EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/22 6:52 p.m.9 views

CVE-2021-43841

XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that...

5.4CVSS6.7AI score0.0087EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/22 6:26 p.m.6 views

CVE-2021-25967

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...

5.4CVSS5.5AI score0.00493EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 6:9 p.m.10 views

CVE-2021-3741

A stored cross-site scripting XSS vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom...

7.8CVSS5AI score0.00285EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 6:9 p.m.8 views

CVE-2021-3742

A Server-Side Request Forgery SSRF vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a new tab, it can trigg...

8.8CVSS6.8AI score0.00367EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 5:9 p.m.8 views

CVE-2020-13145

Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "ContentFile Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS...

5.4CVSS6.9AI score0.00531EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/22 4:51 p.m.12 views

CVE-2020-8280

A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting XSS attacks...

5.4CVSS5.8AI score0.00634EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 4:25 p.m.7 views

CVE-2020-35418

Cross Site Scripting XSS in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file...

5.4CVSS6AI score0.00524EPSS
Exploits1
NVD
NVD
added 2025/05/15 8:15 p.m.6 views

CVE-2023-6541

The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads...

6.1CVSS0.00319EPSS
Exploits2References1
CVE
CVE
added 2025/05/15 8:7 p.m.33 views

CVE-2024-9238

CVE-2024-9238 covers the WordPress plugin AVIF Uploader, where versions before 1.1.1 fail to sanitize uploaded SVGs, allowing an attacker with as little as Author privileges to inject XSS via an SVG file. Multiple connected sources confirm the vulnerability pattern (SVG sanitization bypass and st...

5.4CVSS6AI score0.00254EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder