Stored XSS Vulnerability in Authentik by GoAuthentik
CVE-2024-11623

4.8MEDIUM

Key Information:

Vendor
Goauthentik
Status
Authentik
Vendor
CVE Published:
4 February 2025

Summary

The Authentik project is vulnerable to stored XSS attacks that can occur through the upload of specially crafted SVG files used as application icons. This vulnerability allows authenticated admin users to inadvertently leverage this flaw by uploading malicious SVG content. The vulnerability was addressed in the 2024.10.4 release, underscoring the importance of updating to this version to mitigate associated risks.

Affected Version(s)

authentik 0 < 2024.10.4

References

https://docs.goauthentik.io/docs/security/audits-and-cert...
vendor-advisory
https://github.com/goauthentik/authentik/pull/12092
patch
https://cert.pl/en/posts/2025/02/CVE-2024-11623/
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Daniel Basta (NASK-PIB)
.