Lukas Eder

**Name of the Vulnerable Software and Affected Versions** femanager extension versions prior to 5.5.1 femanager extension versions 6.x prior to 6.3.1 **Description** The issue allows for Cross-Site Scripting (XSS) via a crafted SVG document. By default, the extension permits logged-in frontend users to upload SVG files as new profile images, which can lead to XSS when the uploaded image is used on the website. **Recommendations** For versions prior to 5.5.1, update to version 5.5.1 or later. For versions 6.x prior to 6.3.1, update to version 6.3.1 or later. As a temporary workaround, consider disabling SVG file uploads for frontend users until a patch is applied. If SVG uploads are necessary, use the TYPO3 extension svg sanitizer to prevent malicious SVG file uploads or set up a strict Content Security Policy for the destination folder of uploaded images.