Moderate severityNVD Advisory· Published Nov 10, 2021· Updated Apr 30, 2025
Publify - Stored Cross-Site Scripting (XSS) due to Unrestricted File Upload
CVE-2021-25975
Description
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | >= 8.0, < 9.2.5 | 9.2.5 |
Affected products
3- osv-coords2 versions
>= 8.0.0, < 9.2.4+ 1 more
- (no CPE)range: >= 8.0.0, < 9.2.4
- (no CPE)range: >= 8.0, < 9.2.5
- publify_core/publify_corev5Range: v8.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-3h7v-wqw7-ff28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25975ghsaADVISORY
- github.com/publify/publify/commit/d99c0870d3dbbfde7febdc6cad33199b84770101ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.