MEDIUM🇬🇧 English

CVE-2023-46857

CVSS 5.4v3.1pub. 2023-12-07upd. 2024-11-21

Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • Squidex.io Squidex

    APP
    Squidex.Io
    < 7.9.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
XSS
CWE
Referencje

Powiązane podatności

CVE-2026-24736CRITICAL9.1PL ✓ten sam produkt

SSRF w Squidex — pełny odczyt odpowiedzi HTTP przez konfigurację Webhooków

CVE-2023-46253CRITICAL9.1ten sam produkt

Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitra...

CVE-2023-46252MEDIUM6.8ten sam produkt

Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verifi...

CVE-2023-46744MEDIUM5.4ten sam produkt

Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Sc...

CVE-2023-3580MEDIUM4.3ten sam produkt

Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.