Kaio Mendonça Pereira

**Name of the Vulnerable Software and Affected Versions** Fiora chat application versions 1.0.0 through 1.0.0 **Description** The Fiora chat application has a file upload issue related to the user avatar upload functionality. The application does not properly validate SVG file content. This allows malicious SVG files, containing foreignObject elements with iframe tags and JavaScript event handlers like `onmouseover`, to be uploaded and stored. When these SVG files are rendered, they execute arbitrary JavaScript. This can lead to the theft of user sessions and cookies, and enable attackers to perform unauthorized actions within the context of users viewing affected profiles. **Recommendations** Update to a newer version that contains a fix for this vulnerability.