Stored XSS Vulnerability in UJCMS SVG File Handling
CVE-2024-55451

4.8MEDIUM

Key Information:

Vendor: Dromara
Status: Ujcms
Vendor: CVE Published:; 16 December 2024

What is CVE-2024-55451?

CVE-2024-55451 is a security vulnerability classified as a Stored Cross-Site Scripting (XSS) that affects UJCMS version 9.6.3. It arises from inadequate sanitization of embedded attributes in SVG files during the authenticated upload and viewing process. This vulnerability can be exploited by authenticated attackers who upload maliciously crafted SVG files. When these files are accessed by other backend users, the attacker's JavaScript code may execute in their browsers, potentially compromising sensitive information, including tokens. Addressing this vulnerability is crucial to securing backend operations and maintaining the integrity of user data.

References

https://github.com/dromara/ujcms

https://github.com/cydtseng/Vulnerability-Research/blob/m...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2024

CVE-2024-55451 Data

JSON

Dromara

What is CVE-2024-55451?

References

CVSS V3.1

Timeline