Le Sun, Dec 01, 2024 at 05:30:43PM +0100, Moritz Mühlenhoff a écrit : > Source: spip > X-Debbugs-CC: [email protected] > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for spip. > > CVE-2024-53619[0]: > | An authenticated arbitrary file upload vulnerability in the > | Documents module of SPIP v4.3.3 allows attackers to execute > | arbitrary code via uploading a crafted PDF file. > > It's unclear whether this has been reported/fixed upstream, the > only reference is: > https://grimthereaperteam.medium.com/spip-4-3-3-malicious-file-upload-xss-in-pdf-526c03bb1776
Upstream considers it invalid because the executed code is sandboxed with a limited scope and without access to the website context. They pointed me to an article considered relevant to this case. https://textslashplain.com/2024/04/10/browser-security-bugs-that-arent-javascript-in-pdf/ Regards, taffit
signature.asc
Description: PGP signature
