CVE-2022-23065 MEDIUM

CVE-2022-23065: Vendure - XSS via SVG File Upload

Vendor Vendure-Ecommerce
Product vendure
Weakness CWE-79 · XSS
Published May 2, 2022
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.

Key dates

02Disclosure timeline

May 2, 2022 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-22511 WAGO PLCs WBM vulnerable to reflected XSS CVE-2024-10116 Twitter Follow Button <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via username Parameter CVE-2023-22455 Discourse vulnerable to Cross-site Scripting through tag descriptions CVE-2026-47762 TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments CVE-2023-2691 SourceCodester Personnel Property Equipment System POST Parameter add_item.php cross site scripting