exploitDog

CVE-2024-11623

Опубликовано: 04 фев. 2025

Источник: nvd

CVSS3: 4.8

EPSS Низкий

Описание

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release.

Ссылки

https://cert.pl/en/posts/2025/02/CVE-2024-11623/
Third Party Advisory
https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability
Vendor Advisory
https://github.com/goauthentik/authentik/pull/12092
Issue Tracking
Patch

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*

Версия до 2024.10.4 (исключая)

EPSS

Процентиль: 39%

0.00174

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-f8wx-qvvq-mwx4

CVSS3: 4.8

github

около 1 года назад

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release.

EPSS

Процентиль: 39%

0.00174

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-79