CVE-2023-46857

Name of the Vulnerable Software and Affected Versions Squidex versions prior to 7.9.0

Description The issue allows for XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation.

Recommendations For versions prior to 7.9.0, update to version 7.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Upload Assets feature or disabling the SVG inspection to minimize the risk of exploitation. Restrict access to the assets.create permission to prevent authenticated attacks.