CVE-2024-11623

EPSS 0.36%

Stored XSS in authentik

發布日:2026/4/16修改日:2026/4/17

描述

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release.

受影響套件(1)

Bitnami/authentikfrom 0, < 2024.10.4

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

參考連結(4)

WEBhttps://cert.pl/en/posts/2025/02/CVE-2024-11623/
WEBhttps://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability
WEBhttps://github.com/goauthentik/authentik/pull/12092
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-11623