CVE-2021-25978

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-25978

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25978.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-25978

Aliases

GHSA-4r9c-jghc-cx5m

Published

2021-11-07T18:15:07.620Z

Modified

2026-03-14T10:49:41.192265Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.

References

https://github.com/apostrophecms/apostrophe/commit/c8b94ee9c79468f1ce28e31966cb0e0839165e59

Affected packages

Git / github.com/apostrophecms/apostrophe

Affected ranges

Type

GIT

Repo

https://github.com/apostrophecms/apostrophe

Events

Introduced

0ae930a861a077f52c7995d4425b3fecee3775d2

Last affected

71221f7463372c0e2c7c7638d9fc6f6b85d38239

Fixed

c8b94ee9c79468f1ce28e31966cb0e0839165e59

Database specific

{
    "versions": [
        {
            "introduced": "2.63.0"
        },
        {
            "last_affected": "3.3.1"
        }
    ]
}

Affected versions

2.*

2.63.0

2.64.0

2.64.1

2.65.0

2.66.0

2.67.0

3.*

3.0.0

3.0.0-alpha.1

3.0.0-alpha.2

3.0.0-alpha.3

3.0.0-alpha.4

3.0.0-alpha.4.1

3.0.0-alpha.4.2

3.0.0-alpha.5

3.0.0-alpha.6

3.0.0-alpha.6.1

3.0.0-alpha.7

3.0.0-beta.1

3.0.0-beta.1.1

3.0.0-beta.2

3.0.0-beta.3

3.0.1

3.1.0

3.1.1

3.1.2

3.1.3

3.2.0

3.3.0

3.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25978.json"