Squidex
CVE-2023-46744
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a "blacklist" called "InvalidSvgElements" are present. This list only contains the element "script". and 2. No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. However it is possible to bypass the above filtering mechanism and execute arbitrary JavaScript code by introducing other HTML elements such as an <iframe> element with a "src" attribute containing a "javascript:" value. Authenticated adversaries with the "assets.create" permission, can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS.
AnalysisAI
Squidex is an open source headless CMS and content management hub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a "blacklist" called "InvalidSvgElements" are present. This list only contains the element "script". and 2. No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. However it is possible to bypass the above filtering mechanism and execute arbitrary JavaScript code by introducing other HTML elements such as an <iframe> element with a "src" attribute containing a "javascript:" value. Authenticated adversaries with the "assets.create" permission, can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS. Affected products include: Squidex.Io Squidex.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Server-Side Request Forgery (SSRF) vulnerability in Squidex CMS webhook configuration allows authenticated administrator
Squidex is an open source headless CMS and content management hub. Rated high severity (CVSS 7.2), this vulnerability is
Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0. Rated medium severity (CVSS 6.5),
Squidex is an open source headless CMS and content management hub. Rated medium severity (CVSS 6.1), this vulnerability
Squidex before 7.4.0 was discovered to contain a squid.svg cross-site scripting (XSS) vulnerability. Rated medium severi
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0. Rated medium severi
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. Rated medium severity (CVSS 5.4), this
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0. Rated medium severi
Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions
Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing perm
Server-Side Request Forgery in Squidex's backup restoration endpoint allows authenticated administrators to probe intern
Blind Server-Side Request Forgery (SSRF) in Squidex prior to version 7.23.0 allows authenticated administrators to force
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today