Stored Cross-Site Scripting (XSS) possible with svg files rendered inline

Moderate

valadas published GHSA-m4hf-fxcg-cp34

May 23, 2025

Package

DNN.PLATFORM (C#)

Affected versions

<9.13.9

Patched versions

9.13.9

Description

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.

Severity

Moderate

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required Low

User interaction Passive

Vulnerable System Impact Metrics

Confidentiality None

Integrity None

Availability None

Subsequent System Impact Metrics

Confidentiality High

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N