CVE-2023-49279
NONE0.0EPSS 0.45%Stored XSS via SVG File Upload
發布日:2023/12/13修改日:2024/2/16
描述
#### Impact A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. #### Workaround Implement the server side file validation https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation or Serve all media from an different host (e.g cdn) that where umbraco is hosted
受影響套件(1)
- NuGet/Umbraco.CMS>= 7.0.0, < 7.15.11
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | NONE0.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N |