CVE-2024-52597

Name of the Vulnerable Software and Affected Versions 2FAuth versions prior to 5.4.1

Description The issue is related to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. An attacker can upload a malicious SVG containing JS code, which could compromise a victim's session and access to their tokens if the victim is driven to the uploaded image.

Recommendations For versions prior to 5.4.1, update to version 5.4.1 to resolve the issue. As a temporary workaround, consider restricting the upload of SVG files or disabling the feature that allows image uploads until the patch is applied. Avoid using the affected account migration feature until the issue is resolved.