Unrated severityNVD Advisory· Published Feb 16, 2024· Updated Aug 26, 2024

Cross-Site Scripting (XSS) via File Upload in Alf.io

CVE-2024-25627

Description

Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected products

Alfio Event/Alf.iov5
Range: < 2.0-M4-2304

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/alfio-event/alf.io/security/advisories/GHSA-gpmg-8f92-37cfmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000