CVE-2024-25627

Name of the Vulnerable Software and Affected Versions Alf.io versions prior to 2.0-M4-2402

Description The issue allows an administrator on the Alf.io application to upload HTML files that trigger JavaScript payloads. This could enable an attacker who gains administrative access to persist access by planting an XSS payload. There are no known workarounds for this issue.

Recommendations For versions prior to 2.0-M4-2402, upgrade to version 2.0-M4-2402 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTML file upload feature until a patch is applied.