关键信息 CVE ID: CVE-2025-63830 Affected Product: CKFinder v1.4.3 Affected Component: File Upload Function Severity: High Vendor: CKSource Holding sp. z o.o. Attack Type: Remote Vulnerability Details Finding Name: Stored Cross-Site Scripting (XSS) via Malicious SVG Upload Description: - CKFinder v1.4.3 contains a Stored Cross-Site Scripting (XSS) vulnerability in its File Upload functionality. Uploading a crafted SVG file containing JavaScript code can result in persistent script execution when the file is accessed or previewed. - The issue arises because the SVG file is stored and served as-is, allowing embedded tags, event handlers (e.g., , ), or elements to execute in the application's origin context. Steps to Reproduce 1. Log in to the application integrated with CKFinder v1.4.3. 2. Navigate to the File Upload feature. 3. Upload a malicious SVG file. 4. Access or preview the file from within the CKFinder file manager or any linked view. 5. Observe JavaScript execution in the browser. Impact / Risks Execution of arbitrary JavaScript in the victim's browser. Theft of session tokens or sensitive information. DOM manipulation or redirection to malicious websites. Potential lateral movement within admin or management interfaces. Remediation Sanitize and validate uploaded SVG files before storing or rendering. Disable SVG uploads if not required. - If necessary, use a secure SVG sanitizer (e.g., DOMPurify, SVG-Sanitizer) before rendering. - Serve uploaded SVGs with secure response headers: - Host user-uploaded files on a separate domain or CDN to enforce origin isolation. Upgrade to the latest version of CKFinder for improved file sanitization and security handling. Proof-of-Concept The screenshot shows a successful upload and preview of a malicious SVG file, leading to JavaScript execution in the context of the application's origin.