PT-2021-19682 · Pagekit · Pagekit

Langkexiansheng

Published

2021-06-16

Updated

2021-06-23

CVE-2021-32245

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: PageKit version 1.0.18

Description: The issue allows a user to upload SVG files that can contain malicious scripts through the file upload portion of the CMS. These files are not stripped or filtered, enabling the creation of a link on the website that points to the malicious SVG file, such as "/storage/exp.svg", which can trigger a XSS attack when clicked.

Recommendations: For PageKit version 1.0.18, consider disabling the file upload feature for SVG files until a patch is available, and restrict access to the "/storage/" directory to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-32245

GHSA-MRWR-2945-FR22

Affected Products

Pagekit

PT-2021-19682 · Pagekit · Pagekit

CVE-2021-32245

Weakness Enumeration

Related Identifiers

Affected Products

References · 4