Primary

Context

UliCMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in UliCMS version 2023.1. This issue allows attackers to upload malicious SVG files containing embedded JavaScript, which can execute arbitrary scripts when the files are viewed by other users. The vulnerability arises from the file management interface, where crafted SVG files can be uploaded and later accessed, triggering the embedded scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute scripts in the context of users who view them.

Reproduction

To reproduce this vulnerability, upload a malicious SVG file through the file management interface. The SVG file should contain JavaScript embedded within a <script> tag. Once uploaded, the file can be accessed by other users, who will trigger the embedded script execution.

Added: Dec 17, 2025, 11:33 PM

Updated: Dec 17, 2025, 11:33 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

UliCMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Reproduction

Affected Products

UliCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating