CVE-2023-53925 | THREATINT

Description

UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-17 | Updated 2025-12-27 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

2023.1

affected

Credits

Mirabbas Ağalarov finder

References

www.exploit-db.com/exploits/51435 exploit

www.exploit-db.com/exploits/51435 (ExploitDB-51435) exploit

web.archive.org/web/20230314183734/https://en.ulicms.de/ (Archived Product Webpage) product

www.vulncheck.com/...ross-site-scripting-via-svg-file-upload (VulnCheck Advisory: UliCMS 2023.1 Stored Cross-Site Scripting via SVG File Upload) third-party-advisory

cve.org (CVE-2023-53925)

nvd.nist.gov (CVE-2023-53925)

Download JSON