CVE-2024-11623

MEDIUM

authentik < 2024.10.4 - Authenticated Stored Cross-Site Scripting via SVG Icon Upload

Title source: llm
STIX 2.1

Description

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons.  This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release.

Scores

CVSS v3 4.8
EPSS 0.0029
EPSS Percentile 20.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
goauthentik/authentik < 2024.10.4
Published Feb 04, 2025
Tracked Since Feb 18, 2026