| Título | toeverything AFFiNE 0.24.1 Cross Site Scripting |
|---|
| Descrição | A critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Avatar Upload Image endpoint. The vulnerability allows an attacker to upload a malicious SVG file containing obfuscated JavaScript code. This file is permanently stored on the server and automatically executed in the browser of any user who views the image. Using the cookie sandwich technique, an attacker can steal the cookies of affected users and redirect them to an arbitrary endpoint.
|
|---|
| Fonte | ⚠️ https://drive.google.com/file/d/1L6gX0GY8cE9rS6o50oJzuMRPVMerFQNS |
|---|
| Utilizador | HAMZAOUI Mohamed (UID 91388) |
|---|
| Submissão | 07/10/2025 21h48 (há 8 meses) |
|---|
| Moderação | 19/10/2025 04h59 (11 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 329025 [toeverything AFFiNE até 0.24.1 Avatar Upload Image Endpoint Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|