CVE-2023-37611

Name of the Vulnerable Software and Affected Versions Neos CMS version 8.3.3

Description The issue allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the neos/management/media component. To exploit this, the attacker must be able to upload a maliciously crafted file or coerce someone with the needed access to upload the file. The attacker can use this vulnerability to deliver malicious code. It is possible to use Content Security Policy (CSP) to protect against attacks being executed from such a file.

Recommendations For Neos CMS version 8.3.3, consider disabling the upload of SVG files to the neos/management/media component until a patch is available. Implementing Content Security Policy (CSP) can also help protect against attacks being executed from maliciously crafted files.