Xxcdd

**Name of the Vulnerable Software and Affected Versions** CouchCMS version 2.2.1 **Description** Authenticated attackers can execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. This occurs when SVG files containing embedded script tags are uploaded to the 'browse.php' endpoint, leading to script execution in the browsers of users who access or preview these files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources.