Описание
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.
Ссылки
- Mailing List
- Exploit
- Vendor Advisory
- Mailing List
- Exploit
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 7.9.0 (исключая)
cpe:2.3:a:squidex.io:squidex:*:*:*:*:*:*:*:*
EPSS
Процентиль: 72%
0.00734
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79
EPSS
Процентиль: 72%
0.00734
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79