CVE-2024-51492

Name of the Vulnerable Software and Affected Versions Zusam versions prior to 0.5.6

Description The issue allows for unrestricted script execution on image load when specially crafted SVG files are uploaded to the service. This can lead to the theft of a target user's long-lived session token, which remains valid indefinitely unless the user requests a new one. The session token is used interchangeably with the user's static API key on the platform.

Recommendations For versions prior to 0.5.6, update to version 0.5.6 to fix the cross-site scripting vulnerability. As a temporary workaround, consider restricting the upload of SVG files to minimize the risk of exploitation.