CVE-2024-55451

Name of the Vulnerable Software and Affected Versions UJCMS version 9.6.3

Description A Stored Cross-Site Scripting (XSS) issue exists in the authenticated SVG file upload and viewing functionality. This arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens.

Recommendations For UJCMS version 9.6.3, as a temporary workaround, consider disabling the SVG file upload functionality until a patch is available. Restrict access to the affected functionality to minimize the risk of exploitation. Avoid using the vulnerable SVG upload feature in the backend until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.