| 제목 | toeverything AFFiNE 0.24.1 Cross Site Scripting |
|---|
| 설명 | A critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Avatar Upload Image endpoint. The vulnerability allows an attacker to upload a malicious SVG file containing obfuscated JavaScript code. This file is permanently stored on the server and automatically executed in the browser of any user who views the image. Using the cookie sandwich technique, an attacker can steal the cookies of affected users and redirect them to an arbitrary endpoint.
|
|---|
| 원천 | ⚠️ https://drive.google.com/file/d/1L6gX0GY8cE9rS6o50oJzuMRPVMerFQNS |
|---|
| 사용자 | HAMZAOUI Mohamed (UID 91388) |
|---|
| 제출 | 2025. 10. 07. PM 09:48 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 19. AM 04:59 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 329025 [toeverything AFFiNE 까지 0.24.1 Avatar Upload Image Endpoint 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|