Deema Alfehaid

**Name of the Vulnerable Software and Affected Versions** (affected versions not specified) **Description** A flaw exists in the file upload process within the bookmark and asset rendering pipeline. An attacker can upload a malicious SVG file containing JavaScript code. When an authenticated administrator user views this SVG file, the embedded JavaScript executes within their browser. This JavaScript retrieves the Cross-Site Request Forgery (CSRF) token and uses it to send a request to modify the administrator's password, leading to a complete account takeover. The attack targets the `bookmark` and `asset rendering pipeline` components. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.