Vulnerability CVE-2023-46857
Published: 2023-12-07   Modified: 2023-12-14

Description:
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Affected software
Squidex.io -> Squidex 

 References:
https://support.squidex.io/c/news/9
http://www.openwall.com/lists/oss-security/2023/11/08/4
https://census-labs.com/news/2023/11/08/weak-svg-asset-filtering-mechanism-in-squidex-cms/
Copyright 2024, cxsecurity.com

 

Back to Top