CVE-2023-49279

NONE0.0EPSS 0.45%

Stored XSS via SVG File Upload

Published: 12/13/2023Modified: 2/16/2024

Description

#### Impact A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. #### Workaround Implement the server side file validation https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation or Serve all media from an different host (e.g cdn) that where umbraco is hosted

Affected packages (1)

NuGet/Umbraco.CMS>= 7.0.0, < 7.15.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	NONE0.0	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-49279
PATCHhttps://github.com/umbraco/Umbraco-CMS
WEBhttps://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation
WEBhttps://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2