2 matches found
GHSA-VQQR-FGMH-F626 Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. Patches Update to Contao 4.13.54, 5.3.30 or 5.5.6. Workarounds Remove svg,svgz from the allowed upload file types in the system settings and from contao.editablefiles in the config.yaml...
CVE-2023-30538 Stored Cross-site Scripting via improper sanitization of svg files in Discourse
Discourse is an open source platform for community discussion. Due to the improper sanitization of SVG files, an attacker can execute arbitrary JavaScript on the users’ browsers by uploading a crafted SVG file. This issue is patched in the latest stable and tests-passed versions of Discourse. Use...