CVE-2024-51492 HIGH

CVE-2024-51492: Zusam vulnerable to stored XSS, allowing token theft via crafted SVG

Vendor Zusam
Product zusam
Weakness CWE-79 · XSS
Published November 1, 2024
Last update November 1, 2024
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user’s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user’s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn’t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability.

Key dates

02Disclosure timeline

November 1, 2024 CVE published
November 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-7498 Exclusive Addons for Elementor <= 2.7.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown CVE-2022-44594 WordPress All in One Time Clock Lite Plugin <= 1.3.320 is vulnerable to Cross Site Scripting (XSS) CVE-2025-11828 Magazine Companion <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-37549 WordPress Save as PDF plugin by Pdfcrowd plugin <= 4.0.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-8222 jerryshensjf JPACookieShop 蛋糕商城JPA版 GoodsController.java cross site scripting