CVE-2024-45965

Name of the Vulnerable Software and Affected Versions Contao version 5.4.1

Description The issue allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.

Recommendations For Contao version 5.4.1, consider disabling the SVG file upload feature for admin accounts until a patch is available to prevent potential Cross-Site Scripting (XSS) attacks or arbitrary code execution. Restrict access to the file upload module to minimize the risk of exploitation. Avoid accessing SVG files uploaded by admin accounts through the website until the issue is resolved.