CVE-2024-25974

Name of the Vulnerable Software and Affected Versions OpenOlat versions 18.1.5 and lower

Description The issue is a stored Cross-Site Scripting (XSS) vulnerability. It allows authenticated users to upload files within the Media Center without additional rights. Although file types are limited, an SVG image containing an XSS payload can be uploaded and shared with groups, including admins, who can then be attacked with the JavaScript payload.

Recommendations For OpenOlat versions 18.1.5 and lower, consider disabling the file upload feature in the Media Center until a patch is available. Restrict access to the Media Center to minimize the risk of exploitation. Avoid sharing files, especially SVG images, with groups of users until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.