CVE-2022-21650

Name of the Vulnerable Software and Affected Versions Convos (affected versions not specified)

Description The issue concerns Convos, an open-source multi-user chat that runs in a web browser. It is possible to bypass the upload filter by uploading an SVG file with an .html extension, as the chat window does not allow the use of SVG extensions directly but permits .html extensions. This bypass leads to Stored XSS, allowing an attacker to execute malicious scripts when a user views the uploaded file. Users are advised to update as soon as possible to mitigate this risk.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.