CVE-2022-30110

Name of the Vulnerable Software and Affected Versions Jirafeau versions prior to 4.4.0

Description The file preview functionality in Jirafeau, which is enabled by default, could be exploited for cross-site scripting. An attacker could upload image/svg+xml files containing JavaScript. When someone visits the File Preview URL for this file, the JavaScript inside of this image/svg+xml file will be executed in the user's browser.

Recommendations For versions prior to 4.4.0, update to version 4.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the file preview functionality until a patch is available. Restrict access to uploading image/svg+xml files to minimize the risk of exploitation. Avoid using the file preview feature for files from untrusted sources until the issue is resolved.