exploitDog

CVE-2023-53909

Опубликовано: 17 дек. 2025

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file.

Ссылки

https://wbce-cms.org/
Product
https://www.exploit-db.com/exploits/51484
Exploit
Third Party Advisory
VDB Entry
https://www.vulncheck.com/advisories/wbce-cms-svg-file-content-cross-site-scripting
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/51484
Exploit
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wbce:wbce_cms:1.6.1:-:*:*:*:*:*:*

EPSS

Процентиль: 7%

0.00026

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-j68f-qx6g-877w

CVSS3: 5.4

github

около 2 месяцев назад

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file.

EPSS

Процентиль: 7%

0.00026

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79