| Title | toeverything AFFiNE 0.24.1 Cross Site Scripting |
|---|
| Description | A critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Avatar Upload Image endpoint. The vulnerability allows an attacker to upload a malicious SVG file containing obfuscated JavaScript code. This file is permanently stored on the server and automatically executed in the browser of any user who views the image. Using the cookie sandwich technique, an attacker can steal the cookies of affected users and redirect them to an arbitrary endpoint.
|
|---|
| Source | ⚠️ https://drive.google.com/file/d/1L6gX0GY8cE9rS6o50oJzuMRPVMerFQNS |
|---|
| User | HAMZAOUI Mohamed (UID 91388) |
|---|
| Submission | 10/07/2025 21:48 (8 months ago) |
|---|
| Moderation | 10/19/2025 04:59 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 329025 [toeverything AFFiNE up to 0.24.1 Avatar Upload Image Endpoint cross site scripting] |
|---|
| Points | 20 |
|---|