CVE-2024-55451
Last modified
CVE-2024-55451 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ujcms | Ujcms | 9.6.3 |
References
- https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/StoredXSS-SVGUpload.mdExploit, Third Party Advisory
- https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/StoredXSS-SVGUpload.mdExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-55451?
How severe is CVE-2024-55451?
How do I fix CVE-2024-55451?
Are you affected by CVE-2024-55451?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST