Newforma Info Exchange Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in Newforma Info Exchange (NIX) Project Center versions prior to 2024.1. The issue arises in the 'Send a File Transfer' feature, which allows remote, authenticated attackers to upload SVG files containing JavaScript or other executable content. This uploaded content can be executed or rendered by a web browser, particularly when using a mobile user agent.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files are executed or rendered in a way that executes the embedded JavaScript, potentially leading to malicious actions being performed on behalf of the user.

Added: Oct 9, 2025, 9:28 PM

Updated: Oct 9, 2025, 9:28 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

5.0

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

5.0

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Newforma Info Exchange Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating