CVE-2025-10253
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in openDCIM 23.04. This vulnerability affects unknown code of the file /scripts/uploadifive.php of the component SVG File Handler. Such manipulation of the argument Filedata leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10253
EUVD
EUVD-2025-28914
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opendcim opendcim 23.04
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10253 is a stored Cross-Site Scripting (XSS) vulnerability in openDCIM version 23.04, specifically in the SVG File Handler component. The application allows uploading SVG files, which are XML-based and can contain embedded JavaScript. An attacker can craft a malicious SVG file with embedded scripts and upload it. When this file is later viewed within the application, the malicious JavaScript executes in the user's browser, potentially leading to arbitrary script execution. [1, 2, 3]

Impact Analysis

This vulnerability can lead to execution of arbitrary JavaScript in users' browsers when they view the malicious SVG file. This can result in theft of sensitive information such as cookies and session tokens, and potentially compromise privileged accounts if an administrator views the infected file. The integrity of data can be impacted, and attackers can exploit this remotely with low complexity and low privileges required. [1, 2, 3]

Detection Guidance

The vulnerability can be detected by checking for the presence of the vulnerable endpoint `/scripts/uploadifive.php` or by searching for URLs containing `inurl:scripts/uploadifive.php` using Google dorking techniques. Additionally, monitoring for uploads of SVG files to the image upload endpoint (e.g., `https://localhost/image_management.php`) and inspecting uploaded SVG files for embedded JavaScript can help detect exploitation attempts. There is no specific command provided, but you can use web scanning tools or curl commands to test the upload functionality and analyze responses. For example, you might use curl to upload a crafted SVG file to the endpoint and observe if it is accepted and stored. [2, 1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting allowed file types by blocking SVG uploads or any file formats capable of containing executable code, sanitizing uploaded SVG files to remove embedded JavaScript, disabling script execution within SVG content, and implementing strict Content Security Policy (CSP) headers to prevent unauthorized script execution. If possible, consider replacing the affected component or product. These measures reduce the risk of stored XSS attacks via malicious SVG files. [1, 3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart