CVE-2024-11623
MEDIUM severity · CVSS 4.8 · Cross-site scripting (XSS)
4.8CVSS MEDIUM
Summary
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredHigh
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactNone
Exploit probability (EPSS)0%
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://github.com/goauthentik/authentik/pull/12092 ↗