CVE-2021-25978: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 7, 2021 (updated November 9, 2021)

Apostrophe CMS versions between to are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.

References

github.com/apostrophecms/apostrophe
nvd.nist.gov/vuln/detail/CVE-2021-25978

Detect and mitigate CVE-2021-25978 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →