← Voltar para CVEs
CVE-2025-56515
HIGH8.8
Descricao
File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.
Detalhes CVE
Pontuacao CVSS v3.18.8
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioREQUIRED
Publicado10/1/2025
Ultima modificacao10/15/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
suisuijiang:fiora
Fraquezas (CWE)
CWE-79CWE-434
Referencias
https://fiora.suisuijiang.com/(cve@mitre.org)
https://github.com/Kov404/CVE-2025-56515/tree/main(cve@mitre.org)
https://github.com/yinxin630/fiora(cve@mitre.org)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.