CVE-2023-37611 – neos/media-browser

Package

Manager: composer
Name: neos/media-browser
Vulnerable Version: >=0 <7.3.19 || >=8.0.0 <8.0.16 || >=8.1.0 <8.1.11 || >=8.2.0 <8.2.11 || >=8.3.0 <8.3.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0027 pctl0.50181

Details

Neos CMS Cross Site Scripting vulnerability Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the `neos/management/media` component. To make use of this attack vector, the attacker must either be able to upload a maliciously crafted file or coerce someone with the needed access to upload said file to Neos. Even if such a file is uploaded and subsequently delivered, it is possible to use CSP to protect against attacks being executed from such a file.

Metadata

Created: 2023-09-19T00:30:13Z
Modified: 2024-01-16T17:08:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-6qjf-7g3j-qx25/GHSA-6qjf-7g3j-qx25.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-6qjf-7g3j-qx25
Finding: F425
Auto approve: 1