CVE-2025-56515
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suisuijiang | fiora | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a file upload flaw in the Fiora chat application version 1.0.0, specifically in the user avatar upload feature. The application does not properly validate SVG file content, allowing attackers to upload malicious SVG files that contain embedded foreignObject elements with iframe tags and JavaScript event handlers like onmouseover. When these SVG files are rendered, the embedded JavaScript executes, enabling attackers to perform malicious actions.
How can this vulnerability impact me? :
The vulnerability can lead to attackers executing arbitrary JavaScript in the context of users viewing affected profiles. This can result in theft of user sessions and cookies, and allow attackers to perform unauthorized actions on behalf of the user, potentially compromising user accounts and data.