CVE-2025-10253

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in openDCIM version 23.04 within the SVG file handler component at /scripts/uploadifive.php. The application accepts .svg file uploads without sanitizing the file contents. Since SVG is an XML-based format, it can contain embedded JavaScript code. An attacker can craft a malicious SVG file containing JavaScript, upload it through the image management interface, and when the file is later viewed within the application, the script executes in the victim's browser [1].

Exploitation

An authenticated user can upload a malicious SVG file via the endpoint /image_management.php under Template Management > Device Image Management. The proof-of-concept demonstrates a simple SVG file with an embedded ` tag that triggers an alert. The attack requires authentication but no special privileges beyond the ability to upload device images. The uploaded file is stored and served from /assets/pictures/`, making it accessible to any user who views the image within the application.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user who views the malicious SVG file. This can lead to theft of cookies, session tokens, or other sensitive data. If an administrator views the file, the attacker could potentially compromise privileged accounts. The CVSS v3 score is 3.5 (Low), though the reference notes a higher severity due to the potential for data theft and account compromise.

Mitigation

The vendor was contacted but did not respond. As of the publication date, no official patch is available. Recommended mitigations include blocking SVG uploads entirely, sanitizing uploaded SVG files to remove embedded JavaScript, and enforcing a strict Content Security Policy (CSP) to limit script execution.