CVE-2025-56515
HIGHFiora 1.0.0 - Stored Cross-Site Scripting via Malicious SVG Avatar Upload
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2025-56515. PoCs published by Kov404.
AI-analyzed exploit summary The repository describes a Cross-Site Scripting (XSS) vulnerability in Fiora Chat Application version 1.0.0, where malicious SVG files can be uploaded as user avatars to execute arbitrary JavaScript. The writeup includes a detailed explanation of the attack vector and an example payload.
Description
File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.
Exploits (1)
The repository describes a Cross-Site Scripting (XSS) vulnerability in Fiora Chat Application version 1.0.0, where malicious SVG files can be uploaded as user avatars to execute arbitrary JavaScript. The writeup includes a detailed explanation of the attack vector and an example payload.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H