Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NSquidex.io Squidex
APPSquidex.Io< 7.9.0
Related vulnerabilities
SSRF w Squidex — pełny odczyt odpowiedzi HTTP przez konfigurację Webhooków
Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitra...
Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verifi...
Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Sc...
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.