A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data.
By default, Silverstripe CMS will no longer allow GPX files to be uploaded to the assets area.
{ "nvd_published_at": "2022-11-23T03:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-11-21T23:58:07Z" }