PT-2025-44401 · Unknown · Urve Smart Office
Anna Błaszczak
+1
·
Published
2025-10-30
·
Updated
2025-10-30
·
CVE-2025-10348
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
URVE Smart Office versions prior to 1.1.24
Description
URVE Smart Office is susceptible to a Stored Cross-Site Scripting (XSS) issue within the report problem functionality. An attacker possessing a low-privileged account can upload a Scalable Vector Graphics (SVG) file containing a malicious payload. Upon a victim accessing the URL of the uploaded resource, the malicious payload is executed. The resource is accessible to anyone without requiring authentication.
Recommendations
Upgrade to version 1.1.24 or later to address this issue.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Urve Smart Office