Ksawery Kehl

**Name of the Vulnerable Software and Affected Versions** URVE Smart Office versions prior to 1.1.24 **Description** URVE Smart Office is susceptible to a Stored Cross-Site Scripting (XSS) issue within the report problem functionality. An attacker possessing a low-privileged account can upload a Scalable Vector Graphics (SVG) file containing a malicious payload. Upon a victim accessing the URL of the uploaded resource, the malicious payload is executed. The resource is accessible to anyone without requiring authentication. **Recommendations** Upgrade to version 1.1.24 or later to address this issue.