Taskcafe · Taskcafe · CVE-2023-26771
**Name of the Vulnerable Software and Affected Versions**
Taskcafe version 0.3.2
**Description**
The issue is related to a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload. An authenticated attacker can exploit this by uploading a malicious picture, which will trigger the payload when the victim opens the file. This allows for Cross Site Scripting (XSS) attacks.
**Recommendations**
For Taskcafe version 0.3.2, as a temporary workaround, consider disabling the upload of SVG profile pictures until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.