CVE-2024-55451

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-55451

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-55451.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-55451

Published

2024-12-16T23:15:06.710Z

Modified

2025-11-16T08:39:11.584438Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens.

References

Affected packages

Git / github.com/dromara/ujcms

Affected ranges

Type: GIT
Repo: https://github.com/dromara/ujcms
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

4912aab3df20c76340505829f37f660be94def39

Affected versions

v1.*

v1.0.0

v2.*

v2.0.0

v2.0.1

v2.0.2

v3.*

v3.0.0

v3.0.1

v3.1.0

v4.*

v4.1.1

v4.1.2

v4.1.3

v5.*

v5.5.1

v5.5.2

v6.*

v6.0.2

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v8.*

v8.0.2

v9.*

v9.0.3

v9.0.4

v9.0.5

v9.1.0

v9.1.1

v9.1.4

v9.5.0

v9.5.1

v9.6.0

v9.6.1

v9.6.2

v9.6.3