XSS Vulnerability in Squidex CMS Allows Exploitation via SVG Documents
CVE-2023-46857

5.4MEDIUM

Key Information:

Vendor: Squidex.io
Status: Squidex
Vendor: CVE Published:; 7 December 2023

What is CVE-2023-46857?

An XSS vulnerability exists in Squidex before version 7.9.0, allowing an authenticated user with assets.create permission to exploit the Upload Assets feature. This occurs due to an incomplete filtering mechanism for SVG documents, which permits the inclusion of JavaScript within the SRC attribute of an IFRAME element. Attackers can leverage this weakness to execute malicious scripts within the context of the application, potentially leading to unauthorized actions and data exposure.

References

https://support.squidex.io/c/news/9

http://www.openwall.com/lists/oss-security/2023/11/08/4

https://census-labs.com/news/2023/11/08/weak-svg-asset-fi...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 7, 2023
Vulnerability Reserved
Oct 28, 2023

Squidex.io

What is CVE-2023-46857?

References

CVSS V3.1

Timeline