CVE-2023-26771

Name of the Vulnerable Software and Affected Versions Taskcafe version 0.3.2

Description The issue is related to a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload. An authenticated attacker can exploit this by uploading a malicious picture, which will trigger the payload when the victim opens the file. This allows for Cross Site Scripting (XSS) attacks.

Recommendations For Taskcafe version 0.3.2, as a temporary workaround, consider disabling the upload of SVG profile pictures until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.