CVE-2023-46744

Name of the Vulnerable Software and Affected Versions Squidex (affected versions not specified)

Description A stored Cross-Site Scripting (XSS) vulnerability in Squidex enables privilege escalation of authenticated users. The vulnerability is due to an insufficient SVG element filtering mechanism, which allows stored XSS attacks through uploaded SVG images. Authenticated users with the "assets.create" permission can upload a malicious SVG asset, targeting any registered user who attempts to open or view the asset. The filtering mechanism can be bypassed by introducing other HTML elements, such as an iframe element with a "src" attribute containing a "javascript:" value.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.