CVE-2025-61183

A stored Cross-Site Scripting (XSS) vulnerability exists in VaahCMS version 2.3.1, specifically in the storeAvatar() method of UserBase.php. The root cause is that the file upload logic in MediaController.php saves the uploaded file to disk before performing any content or MIME-type validation. This allows an attacker to upload a malicious SVG file containing embedded JavaScript [2].

A low-level registered user can exploit this by sending a POST request to the vulnerable endpoint /backend/vaah/manage/media/upload, controlling both the filename and the directory path. The file is stored at a predictable public location such as /storage/media/YYYY/MM/.svg. Even if the backend returns an error (e.g., "Unable to decode input"), the file persists on disk [2][4].

Successful exploitation enables an attacker to achieve persistent XSS when the malicious SVG is rendered in a victim's browser via an `, `, or crafted link. Although the avatar URL itself is not updated with the uploaded file in this flow, the attacker can still deliver the payload by directly accessing the file URL or embedding it elsewhere [4].

As of the publication date, no official patch has been confirmed for this vulnerability. The issue has been reported on the project's GitHub page [4]. Users are advised to implement input validation and restrict file uploads to trusted formats or apply a web application firewall rule until a fix is available.