CVE-2024-55451

A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/StoredXSS-SVGUpload.md	Exploit Third Party Advisory
https://github.com/dromara/ujcms	Product
https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/StoredXSS-SVGUpload.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ujcms:ujcms:9.6.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-12-16 23:15

Updated : 2025-04-24 15:26

NVD link : CVE-2024-55451

Mitre link : CVE-2024-55451

CVE.ORG link : CVE-2024-55451

JSON object : View

Products Affected

ujcms

ujcms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-55451", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2024-12-16T23:15:06.710", "references": [{"url": "https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/StoredXSS-SVGUpload.md", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/dromara/ujcms", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/StoredXSS-SVGUpload.md", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en la funcionalidad de carga y visualizaci\u00f3n de archivos SVG autenticados en UJCMS 9.6.3. La vulnerabilidad surge de una desinfecci\u00f3n insuficiente de los atributos integrados en los archivos SVG cargados. Cuando otros usuarios del backend ven un archivo SVG manipulado con fines malintencionados, los atacantes autenticados pueden ejecutar c\u00f3digo JavaScript arbitrario en el contexto de los navegadores de otros usuarios del backend, lo que puede llevar al robo de tokens confidenciales."}], "lastModified": "2025-04-24T15:26:43.720", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ujcms:ujcms:9.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B35595EB-DB23-45CE-B865-658935EAE1D3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}