CVE-2021-25974

Name of the Vulnerable Software and Affected Versions Publify versions v8.0 through v9.2.4

Description The issue allows a user with a publisher role to inject and execute arbitrary JavaScript code, enabling stored XSS attacks. This can occur while creating a page or article, potentially through unrestricted file upload, which permits malicious JavaScript injection via uploaded HTML files.

Recommendations For Publify versions v8.0 through v9.2.4, consider restricting file uploads or validating the content of uploaded files to prevent malicious code execution until a patch is available. As a temporary workaround, limiting the privileges of the publisher role may help minimize the risk of exploitation.