CVE-2021-25975

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gem/publify_core

Identifiers

CVE-2021-25975

Package Slug

gem/publify_core

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Publify is vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.

Affected Versions

All versions starting from 8.0 up to 9.2.4

Solution

Upgrade to version 9.2.5 or above.

Last Modified

2021-11-15

source