Primary

Context

Moonshine Arbitrary File Upload Vulnerability Allowing Code Execution

Vulnerability

A vulnerability allowing arbitrary file upload has been identified in Moonshine version 3.12.4. This issue enables attackers to upload a malicious SVG file, which can execute arbitrary JavaScript code in the browser of a user who opens the file link.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the form of JavaScript execution within the context of the user's browser.

Reproduction

To reproduce this vulnerability, create or update an article in Moonshine version 3.12.4. In the 'Files' section, upload a crafted SVG file that includes a JavaScript payload, such as an alert script. Once the article is saved, the uploaded SVG can be accessed through the article link, triggering the JavaScript execution.

Added: Aug 19, 2025, 3:21 PM

Updated: Aug 19, 2025, 3:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.3

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.3

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Moonshine Arbitrary File Upload Vulnerability Allowing Code Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating