High severity7.4NVD Advisory· Published Jun 20, 2024· Updated Apr 15, 2026

CVE-2024-28147

Description

An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of the collection preview image (Stored Cross Site Scripting). It is also possible to upload SVG files that include nested XML entities. Those are parsed when a user visits the direct URL of the collection preview image, which may be utilized for a Denial of Service attack.

This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/fulldisclosure/2024/Jun/11nvd
packetstormsecurity.com/files/179199nvd
r.sec-consult.com/metaventisnvd

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000