CVE-2018-25157

Name of the Vulnerable Software and Affected Versions Phraseanet version 4.0.3

Description The software contains a stored cross-site scripting issue that permits authenticated users to inject malicious scripts via specially crafted file names during document uploads. Attackers can upload files containing embedded SVG scripts that execute in a user's browser when the file is viewed, potentially leading to cookie theft or redirection. The vulnerability is triggered when a user uploads a file with a malicious script embedded within its name.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.