CVE-2023-34845

Name of the Vulnerable Software and Affected Versions Bludit version 3.14.1

Description The issue allows attackers to execute arbitrary web scripts or HTML via uploading a crafted SVG file in the /admin/new-content component. This is possible due to an arbitrary file upload vulnerability. It's noted that the product's security model trusts users to insert arbitrary content, as they cannot create their own accounts through self-registration.

Recommendations For Bludit version 3.14.1, consider disabling the file upload feature in the /admin/new-content component until a patch is available to prevent the execution of arbitrary web scripts or HTML. Restrict access to this component to minimize the risk of exploitation. Avoid using the file upload feature with crafted SVG files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.