CVE-2023-53884
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-18

Assigner: VulnCheck

Description
Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53884
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webedition webedition_cms 2.9.8.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-53884 is a stored cross-site scripting (XSS) vulnerability in Webedition CMS version 2.9.8.8. Authenticated users can upload malicious SVG files containing embedded JavaScript through the media upload feature. When other users view these SVG files, the embedded scripts execute, allowing attackers to run arbitrary scripts within the context of the CMS. This occurs due to improper neutralization of input during web page generation. [1, 2]

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who view the malicious SVG files. Potential impacts include session hijacking, defacement of the website, and other client-side attacks within the Webedition CMS environment. Because the malicious code is stored and executed persistently, it can affect multiple users and compromise the security and integrity of the CMS. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious SVG files uploaded through the media upload feature of Webedition CMS v2.9.8.8. Specifically, look for SVG files containing embedded JavaScript code, such as <script> tags within SVG files. You can search the upload directories for SVG files and inspect their contents for suspicious scripts. For example, on the server hosting the CMS, you can run commands like: 1) Find all SVG files: `find /path/to/webedition/uploads -name '*.svg'` 2) Search for script tags inside SVG files: `grep -r '<script' /path/to/webedition/uploads/*.svg` or `grep -r '<script' /path/to/webedition/uploads/` This will help identify SVG files that contain embedded JavaScript, indicating potential exploitation of the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the upload of SVG files through the media upload feature in Webedition CMS v2.9.8.8, especially from authenticated users who do not require this functionality. Additionally, implement server-side validation and sanitization to prevent SVG files containing embedded JavaScript from being uploaded or served. If possible, update or patch the CMS to a version that addresses this vulnerability once available. As a temporary measure, review and remove any suspicious SVG files containing scripts from the media library to prevent execution of malicious code. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart