CVE-2025-67438
Stored XSS in Sync-in Server Allows Session Cookie Theft
Publication date: 2026-02-20
Last updated on: 2026-03-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sync-in | sync-in_server | to 1.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-67438 is a stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server versions before 1.9.3. It allows an authenticated attacker to upload a specially crafted SVG file containing malicious JavaScript code. When a victim accesses the raw SVG file URL, the embedded JavaScript executes in the victim's browser within the Sync-in domain context."}, {'type': 'paragraph', 'content': "This happens because the server's raw file viewer endpoint serves SVG content without proper sanitization, and the file upload functionality accepts SVG files without validation."}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "The vulnerability can lead to the execution of arbitrary JavaScript in a victim's browser, which can be used to steal sensitive information such as session cookies and CSRF tokens."}, {'type': 'paragraph', 'content': 'This information disclosure can enable attackers to hijack user sessions or escalate privileges, potentially compromising user accounts and sensitive data.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Sync-in Server instance is running a version prior to 1.9.3 and by identifying if malicious SVG files containing embedded JavaScript payloads have been uploaded.'}, {'type': 'paragraph', 'content': 'To detect potentially malicious SVG files, you can search the file storage or upload directories for SVG files and inspect them for embedded script tags or suspicious JavaScript code.'}, {'type': 'list_item', 'content': "Use command-line tools like grep to search for script tags inside SVG files, for example: grep -r '<script' /path/to/sync-in/uploads/"}, {'type': 'list_item', 'content': 'Check the Sync-in Server version by querying the application or inspecting the deployment to confirm if it is older than 1.9.3.'}, {'type': 'paragraph', 'content': 'Additionally, monitor network traffic for requests to raw SVG file URLs that might be accessed by users, which could indicate exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Sync-in Server to version 1.9.3 or later, where the vulnerability has been fixed.
The fix involves serving files with the HTTP header `Content-Disposition: attachment` to prevent execution of embedded JavaScript in SVG files.
Until the upgrade can be applied, restrict or disable the upload of SVG files or sanitize uploaded SVG files to remove any embedded scripts.
Also, review and monitor user uploads and raw file viewer endpoints to detect and block malicious payloads.