CVE-2021-41952

Name of the Vulnerable Software and Affected Versions Zenario CMS version 9.0.54156

Description The issue allows for Cross Site Scripting (XSS) via the upload of malicious files with an *.SVG extension. An attacker can exploit this by sending these malicious files to victims, potentially stealing their cookies and leading to account takeover. The person viewing the image of a contact can be a victim of XSS.

Recommendations For Zenario CMS version 9.0.54156, consider disabling the upload of *.SVG files until a patch is available to prevent the exploitation of this issue. Restrict access to the image viewing feature for contacts to minimize the risk of exploitation. Avoid using the feature that allows the upload of files, especially *.SVG files, in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.