FluentCMS Stored Cross-Site Scripting Vulnerability in File Management Module

A stored cross-site scripting vulnerability has been identified in the File Management module of FluentCMS version 1.2.3. This vulnerability allows authenticated administrators to upload SVG files containing malicious JavaScript. Once these files are uploaded, the scripts execute in the browsers of users who access the image's URL, including those who are not authenticated.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute JavaScript in the context of the user viewing the image.

Reproduction

To reproduce this vulnerability, log into the FluentCMS admin panel and navigate to the File Management section. Upload an SVG file that includes malicious JavaScript. After the file is uploaded, access the image's URL to observe the execution of the JavaScript in the browser.

Remediation

Users are advised to update to the patched version of FluentCMS, which addresses this vulnerability by sanitizing SVG uploads to prevent the execution of embedded JavaScript.