3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-41048

GHSA ID

GHSA-jj7c-jrv4-c65x

EPSS Score

0.65085%

CWE

CWE-79

Published

9/21/2023

Updated

11/9/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-41048

CVE-2023-41048: plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images

Impact

There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images.

Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link.

All versions of plone.namedfile are impacted.

Patches

Patches will be released in various plone.namedfile releases:

5.6.1 (for Plone 5.2)
6.0.3 (for Plone 6.0.0-6.0.4)
6.1.3 (for Plone 6.0.5-6.0.6)
6.2.1 (for Plone 6.0.7)

Workarounds

There is no workaround.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-41048

GHSA ID

GHSA-jj7c-jrv4-c65x

EPSS Score

0.65085%

CWE

CWE-79

Published

9/21/2023

Updated

11/9/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
plone.namedfile	pip	< 5.6.1	5.6.1
plone.namedfile	pip	>= 6.0.0, < 6.0.3	6.0.3
plone.namedfile	pip	>= 6.1.0, < 6.1.3	6.1.3
plone.namedfile	pip	>= 6.2.0, < 6.2.1	6.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of scaled SVG images. The patches introduced _should_force_download and modified set_headers to enforce download headers based on MIME type checks. Prior to the fix, the ImageScale's index_html and HEAD methods served scaled SVGs without these protections. The test cases added in the commit verify that scale views (e.g., /@@images/.../custom) now force downloads for SVGs, confirming the vulnerable code paths were in the scaling handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T**r* is * stor** *ross sit* s*riptin* vuln*r**ility *or SV* im***s. * [s**urity *ot*ix *rom ****](*ttps://*it*u*.*om/plon*/Pro*u*ts.Plon**ot*ix********) *lr***y p*rti*lly *ix** t*is, *y m*kin* sur* SV* im***s *r* *lw*ys *ownlo**** inst**

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* s**l** SV* im***s. T** p*t***s intro*u*** _s*oul*_*or**_*ownlo** *n* mo*i*i** s*t_*****rs to *n*or** *ownlo** *****rs **s** on MIM* typ* ****ks. Prior to t** *ix, t** Im***S**l*'s in**x_*tml *n* ****

3.7

Basic Information

Concerned about an active attack path?

CVE-2023-41048: plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images

Impact

Patches

Workarounds

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI