CVE-2024-48591

MEDIUM

Inflectra SpiraTeam 7.2.00 - Stored Cross-Site Scripting via SVG File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-48591. PoCs published by GCatt-AS.

AI-analyzed exploit summary This repository contains a writeup for CVE-2024-48591, detailing an XSS vulnerability in Inflectra SpiraTeam 7.2.00 via crafted SVG file uploads. No exploit code is provided, only documentation.

Description

Inflectra SpiraTeam 7.2.00 is vulnerable to Cross Site Scripting (XSS). A specially crafted SVG file can be uploaded that will render and execute JavaScript upon direct viewing.

Exploits (1)

nomisec WRITEUP
by GCatt-AS · poc
https://github.com/GCatt-AS/CVE-2024-48591

This repository contains a writeup for CVE-2024-48591, detailing an XSS vulnerability in Inflectra SpiraTeam 7.2.00 via crafted SVG file uploads. No exploit code is provided, only documentation.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Inflectra SpiraTeam 7.2.00
Auth required
Prerequisites: Access to upload functionality in SpiraTeam · Victim interaction to view the SVG file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.1
EPSS 0.0042
EPSS Percentile 33.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
inflectra/spirateam 7.2.00
Published Mar 20, 2025
Tracked Since Feb 18, 2026