CVE-2023-46744

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-46744
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46744.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-46744
Related
  • GHSA-xfr4-qg2v-7v5m
Published
2023-11-07T18:15:09Z
Modified
2025-01-08T09:42:05.645532Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a "blacklist" called "InvalidSvgElements" are present. This list only contains the element "script". and 2. No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. However it is possible to bypass the above filtering mechanism and execute arbitrary JavaScript code by introducing other HTML elements such as an <iframe> element with a "src" attribute containing a "javascript:" value. Authenticated adversaries with the "assets.create" permission, can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS.

References

Affected packages

Git / github.com/squidex/squidex

Affected ranges

Type
GIT
Repo
https://github.com/squidex/squidex
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

3.*

3.0.0
3.0.0-beta2
3.0.0-beta3
3.1.0
3.2.0
3.2.1
3.2.2
3.3.0
3.4.0
3.5.0

4.*

4.0.0
4.0.0-beta1
4.0.1
4.0.2
4.0.3
4.1.0
4.1.0-beta1
4.1.0-rc
4.1.1
4.1.2
4.1.3
4.2.0
4.2.0-beta1
4.2.0-beta2
4.3.0
4.4.0
4.4.0-rc
4.5.0
4.5.1
4.6.0
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6

5.*

5.0.0
5.0.0-beta1
5.0.0-beta2
5.1.0
5.1.1
5.2.0
5.2.1
5.3.0
5.4.0
5.5.0
5.6.0
5.7.0
5.8.0
5.8.1
5.8.2
5.9.0

6.*

6.0.0
6.0.1
6.1.0
6.10.0
6.11.0
6.12.0
6.13.0
6.14.0
6.2.0
6.3.0
6.4.0
6.5.0
6.6.0
6.7.0
6.8.0
6.9.0

7.*

7.0.0
7.0.0-rc1
7.0.0-rc2
7.0.0-rc3
7.0.1
7.0.2
7.0.3
7.1.0
7.2.0
7.3.0
7.4.0
7.5.0
7.6.0
7.6.1
7.7.0
7.8.0
7.8.1
7.8.2

v1.*

v1.0
v1.0-beta1
v1.0-beta2
v1.0-beta3
v1.1
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.8.0
v1.9.0

v2.*

v2.0
v2.0-RC1
v2.0-beta1
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.2.0
v2.2.1

v3.*

v3.0-beta1