GHSA-JJ7C-JRV4-C65X plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images

Impact There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an...

plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images

Impact There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an...

CVE-2023-41048 plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images

plone.namedfile allows users to handle File and Image fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by...

CVE-2023-41048

CVE-2023-41048 affects plone.namedfile’s handling of SVG images in Plone Dexterity content. The vulnerability is a stored cross-site scripting issue for SVG images that persists across multiple versions (prior to 5.6.1 for Plone 5.2, 6.0.3 for 6.0.x, 6.1.3 for 6.0.5–6.0.6, and 6.2.1 for 6.0.7). T...

CVE-2023-41048 plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images

plone.namedfile allows users to handle File and Image fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by...