Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who accesses the direct URL of the image, including unauthenticated visitors.
AnalysisAI
Stored cross-site scripting (XSS) in FluentCMS 1.2.3 File Management module allows authenticated administrators to upload SVG files with embedded malicious JavaScript that executes when any user-including unauthenticated visitors-accesses the image URL directly. The vulnerability has public proof-of-concept code available via GitHub pull request, and CISA SSVC framework confirms exploitability is feasible but requires user interaction and is not automatable. CVSS 5.4 reflects the attack complexity introduced by authentication requirement and user interaction, but the cross-origin scope and ability to affect multiple users elevates real-world risk.
Technical ContextAI
The vulnerability exists in the File Management module's FileService.cs, which processes uploaded SVG files. SVG is an XML-based vector image format that supports embedded JavaScript via <script> tags and event handlers (onload, onclick, etc.). The original code failed to sanitize SVG content before persistence, allowing authenticated administrators to upload payloads that execute in-browser when served to other users. The fix involves XML parsing with DTD protection (XmlReaderSettings with DtdProcessing.Prohibit) and removal of dangerous elements (<script>, <foreignObject>) and event-handler attributes. The root cause is improper input validation and insufficient output encoding for XML-embedded scripts, classified as CWE-79 (Cross-site Scripting). CPE data indicates the vulnerability affects FluentCMS but exact version metadata is incomplete in available sources.
RemediationAI
Upgrade FluentCMS to the version containing GitHub pull request 2407 (likely 1.2.4 or later; verify with vendor release notes at https://github.com/fluentcms/FluentCMS/releases). The upstream fix sanitizes SVG files by parsing with XML security hardening (DTD processing disabled), removing dangerous elements (<script>, <foreignObject>), and stripping event-handler attributes and javascript:/vbscript:/data: scheme URLs. If immediate upgrade is not possible, implement compensating controls: disable SVG upload entirely via file extension whitelist (restrict to PNG, JPG, GIF only), or implement server-side Content Security Policy (CSP) headers with img-src 'self' and script-src that blocks inline scripts-though CSP will not prevent the XSS if images are served with unsafe CSP directives. Another control is to serve all user-uploaded content from a separate domain (subdomain or external CDN) with no access to session cookies (set Secure; SameSite=None on admin session cookies), limiting XSS scope. These workarounds reduce functionality and usability; patching is the definitive fix.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209787
GHSA-7m9c-h5vv-88gq