445 matches found
CVE-2024-55451
A Stored Cross-Site Scripting XSS vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend...
CVE-2024-6581
A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitizesvg function, this can lead to cross-site scripting XSS vulnerabilities, which in turn pose a risk of remote code...
CVE-2023-36236
Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad...
CVE-2023-5458
The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads...
CVE-2023-37611
Cross Site Scripting XSS vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file to the neos/management/media component...
CVE-2022-37161
Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting XSS via SVG file upload...
CVE-2021-43842
Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute...
CVE-2021-29460
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like...
CVE-2021-25978
Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed...
CVE-2021-24960
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks...
CVE-2021-24362
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will b...
CVE-2021-43841
XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that...
CVE-2021-25967
In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...
CVE-2021-3741
A stored cross-site scripting XSS vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new page, the custom...
CVE-2021-3742
A Server-Side Request Forgery SSRF vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a new tab, it can trigg...
CVE-2020-13145
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "ContentFile Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS...
CVE-2020-8280
A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting XSS attacks...
CVE-2020-35418
Cross Site Scripting XSS in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file...
CVE-2023-6541
The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads...
CVE-2024-9238
CVE-2024-9238 covers the WordPress plugin AVIF Uploader, where versions before 1.1.1 fail to sanitize uploaded SVGs, allowing an attacker with as little as Author privileges to inject XSS via an SVG file. Multiple connected sources confirm the vulnerability pattern (SVG sanitization bypass and st...