CVE-2024-30248

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-30248

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-30248.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-30248

Aliases

GHSA-pmww-v6c9-7p83

Published

2024-04-02T14:55:17.483Z

Modified

2025-12-05T04:18:11.415136Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page

Details

Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin page. This vulnerability was patched in version 1.3.2.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/30xxx/CVE-2024-30248.json"
}

References

Affected packages

Git / github.com/piccolo-orm/piccolo_admin

Affected ranges

Type: GIT
Repo: https://github.com/piccolo-orm/piccolo_admin
Events: Introduced

a573ce93be29bb326c1d72f25e2cc80c721246e2

Fixed

aea3f3bb9dfb58180c791e3e57d0a3b2fe3ff161

Affected versions

1.*

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-30248.json"