Dlubitz

**Name of the Vulnerable Software and Affected Versions** Neos CMS version 8.3.3 **Description** The issue allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the `neos/management/media` component. To exploit this, the attacker must be able to upload a maliciously crafted file or coerce someone with the needed access to upload the file. The attacker can use this vulnerability to deliver malicious code. It is possible to use Content Security Policy (CSP) to protect against attacks being executed from such a file. **Recommendations** For Neos CMS version 8.3.3, consider disabling the upload of SVG files to the `neos/management/media` component until a patch is available. Implementing Content Security Policy (CSP) can also help protect against attacks being executed from maliciously crafted files.