CVE-2023-53909

Name of the Vulnerable Software and Affected Versions WBCE CMS version 1.6.1

Description WBCE CMS version 1.6.1 has a stored cross-site scripting issue. Authenticated attackers can inject malicious JavaScript by uploading specially crafted SVG files. This is achieved through the media manager by exploiting the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint. Attackers upload SVG files containing script tags, and the JavaScript executes when victims access the uploaded file. The vulnerable parameter is the SVG file itself.

Recommendations Update to a newer version that contains a fix for this vulnerability.