CVE-2024-55451

Source
https://cve.org/CVERecord?id=CVE-2024-55451
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55451.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-55451
Published
2024-12-16T00:00:00Z
Modified
2026-07-15T01:49:18.761555981Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55451.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/dromara/ujcms

Affected ranges

Type
GIT
Repo
https://github.com/dromara/ujcms
Events
Database specific
{
    "cpe": "cpe:2.3:a:ujcms:ujcms:9.6.3:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "9.6.3"
        },
        {
            "last_affected": "9.6.3"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

9.*
9.6.3
v9.*
v9.6.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55451.json"