Vulnerability Description
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Squidex.Io | Squidex | < 7.9.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/11/08/4Mailing List
- https://census-labs.com/news/2023/11/08/weak-svg-asset-filtering-mechanism-in-sqExploit
- https://support.squidex.io/c/news/9Vendor Advisory
- http://www.openwall.com/lists/oss-security/2023/11/08/4Mailing List
- https://census-labs.com/news/2023/11/08/weak-svg-asset-filtering-mechanism-in-sqExploit
- https://support.squidex.io/c/news/9Vendor Advisory
FAQ
What is CVE-2023-46857?
CVE-2023-46857 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute o...
How severe is CVE-2023-46857?
CVE-2023-46857 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-46857?
Check the references section above for vendor advisories and patch information. Affected products include: Squidex.Io Squidex.