CVE-2025-56515: Fiora chat group avatar is vulnerable to XSS via SVG files

The vulnerability lies in the Fiora chat application's user avatar upload functionality, which is susceptible to a Cross-Site Scripting (XSS) attack. The root cause of this vulnerability is the insufficient validation of SVG file content when a user updates their avatar. An attacker can upload a specially crafted SVG file containing malicious JavaScript code embedded within a <foreignObject> and <iframe> tag. The changeAvatar function in packages/server/src/routes/user.ts is the server-side function that processes the avatar change. It receives a URL pointing to the new avatar and saves it to the user's database record without performing any server-side validation on the content of the file at that URL. This allows a malicious SVG to be associated with a user's profile. When another user's client application renders this avatar, the embedded JavaScript is executed in the context of their browser, leading to potential session hijacking, cookie theft, or other unauthorized actions. The changeAvatar function is therefore the primary vulnerable function on the backend that enables this attack.