logo

Database

Server side cross-site scripting In @sync-in/server

Description

Sync-in Server has a stored cross-site scripting (XSS) vulnerability A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-674382. NVD-2025-674383. OSV-2025-674384. GCVE-2025-67438

References

1. https://github.com/Sync-in/server/commit/a6276d067725637310e4e83a3eee337aae81f4392. https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad3. https://github.com/Sync-in/server/releases/tag/v1.9.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-CB9RV – Vulnerability | Fluid Attacks Database