Stored XSS via SVG File Upload

GHSA-6xmx-85x3-4cv2 · CVE-2023-49279

Published Dec 13, 2023 · Modified Feb 16, 2024

Description

Impact

A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed.

Workaround

Implement the server side file validation
https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation

Serve all media from an different host (e.g cdn) that where umbraco is hosted

References

WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-49279
WEB https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation
PACKAGE https://github.com/umbraco/Umbraco-CMS

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes