CVE-2022-30999

Name of the Vulnerable Software and Affected Versions FoF Upload versions prior to 1.2.3

Description The issue allows arbitrary Javascript code execution when navigating directly to an SVG file URI, potentially leading to data leakage or malicious modification by an authenticated Flarum user. This is possible if FoF Upload is configured to allow the uploading of SVG files (image/svg+xml). The executed Javascript code could include HTTP web requests to Flarum or other web services.

Recommendations For FoF Upload versions prior to 1.2.3, upgrade to version 1.2.3, which sanitizes uploaded SVG files, or remove the ability for users to upload SVG files through FoF Upload as a temporary workaround.