CVE-2023-46857
- Source
- https://cve.org/CVERecord?id=CVE-2023-46857
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46857.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-46857
- Published
- 2023-12-07T06:15:54.740Z
- Modified
- 2025-11-15T06:57:51.326264Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.
- References
Affected packages
Git / github.com/squidex/squidex
Affected ranges
- Type
- GIT
- Repo
- https://github.com/squidex/squidex
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.0.0
3.0.0-beta2
3.0.0-beta3
3.1.0
3.2.0
3.2.1
3.2.2
3.3.0
3.4.0
3.5.0
4.*
4.0.0
4.0.0-beta1
4.0.1
4.0.2
4.0.3
4.1.0
4.1.0-beta1
4.1.0-rc
4.1.1
4.1.2
4.1.3
4.2.0
4.2.0-beta1
4.2.0-beta2
4.3.0
4.4.0
4.4.0-rc
4.5.0
4.5.1
4.6.0
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
5.*
5.0.0
5.0.0-beta1
5.0.0-beta2
5.1.0
5.1.1
5.2.0
5.2.1
5.3.0
5.4.0
5.5.0
5.6.0
5.7.0
5.8.0
5.8.1
5.8.2
5.9.0
6.*
6.0.0
6.0.1
6.1.0
6.10.0
6.11.0
6.12.0
6.13.0
6.14.0
6.2.0
6.3.0
6.4.0
6.5.0
6.6.0
6.7.0
6.8.0
6.9.0
7.*
7.0.0
7.0.0-rc1
7.0.0-rc2
7.0.0-rc3
7.0.1
7.0.2
7.0.3
7.1.0
7.2.0
7.3.0
7.4.0
7.5.0
7.6.0
7.6.1
7.7.0
7.8.0
7.8.1
7.8.2
v1.*
v1.0
v1.0-beta1
v1.0-beta2
v1.0-beta3
v1.1
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.8.0
v1.9.0
v2.*
v2.0
v2.0-RC1
v2.0-beta1
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.2.0
v2.2.1
v3.*
v3.0-beta1