CVE-2025-10253
BaseFortify
Publication date: 2025-09-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opendcim | opendcim | 23.04 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10253 is a stored Cross-Site Scripting (XSS) vulnerability in openDCIM version 23.04, specifically in the SVG File Handler component. The application allows uploading SVG files, which are XML-based and can contain embedded JavaScript. An attacker can craft a malicious SVG file with embedded scripts and upload it. When this file is later viewed within the application, the malicious JavaScript executes in the user's browser, potentially leading to arbitrary script execution. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to execution of arbitrary JavaScript in users' browsers when they view the malicious SVG file. This can result in theft of sensitive information such as cookies and session tokens, and potentially compromise privileged accounts if an administrator views the infected file. The integrity of data can be impacted, and attackers can exploit this remotely with low complexity and low privileges required. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by checking for the presence of the vulnerable endpoint `/scripts/uploadifive.php` or by searching for URLs containing `inurl:scripts/uploadifive.php` using Google dorking techniques. Additionally, monitoring for uploads of SVG files to the image upload endpoint (e.g., `https://localhost/image_management.php`) and inspecting uploaded SVG files for embedded JavaScript can help detect exploitation attempts. There is no specific command provided, but you can use web scanning tools or curl commands to test the upload functionality and analyze responses. For example, you might use curl to upload a crafted SVG file to the endpoint and observe if it is accepted and stored. [2, 1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting allowed file types by blocking SVG uploads or any file formats capable of containing executable code, sanitizing uploaded SVG files to remove embedded JavaScript, disabling script execution within SVG content, and implementing strict Content Security Policy (CSP) headers to prevent unauthorized script execution. If possible, consider replacing the affected component or product. These measures reduce the risk of stored XSS attacks via malicious SVG files. [1, 3, 2]