QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2024-28147

Back to search

CVE-2024-28147

Published: Jun 20, 2024

Modified: Feb 13, 2025

PUBLISHED

Description

An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of the collection preview image (Stored Cross Site Scripting). It is also possible to upload SVG files that include nested XML entities. Those are parsed when a user visits the direct URL of the collection preview image, which may be utilized for a Denial of Service attack. This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.

VendorProductVersions

metaVentis GmbH

edu-sharing

affected
<8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19

Weaknesses (CWE)

CWE-434

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now