CVE-2024-30248

HIGH

piccolo-admin 1.2.0-1.3.2 - Stored Cross-Site Scripting via SVG File Upload

Title source: llm

Description

Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin page. This vulnerability was patched in version 1.3.2.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/piccolo-orm/piccolo_admin/security/advisories/GHSA-pmww-v6c9-7p83

Patch x_refsource_misc

https://github.com/piccolo-orm/piccolo_admin/commit/c419575c2467959d906154084d305648eb2b8faf

View Patch ZIP pw:eip

Scores

CVSS v3 7.7

EPSS 0.0049

EPSS Percentile 38.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

piccolo-orm/piccolo_admin >= 1.2.0, < 1.3.2

pypi/piccolo-admin 1.2.0 - 1.3.2PyPI

Published Apr 02, 2024

Tracked Since Feb 18, 2026