[tribalsystems/zenario] Cross-site Scripting in Zenario CMS

Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG. An attacker can send malicious files to victims and steals victim’s cookie leads to account takeover. The person viewing the image of a contact can be victim of XSS.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-41952
• https://github.com/hieuminhnv/Zenario-CMS-9.0-last-version/issues/1
• https://github.com/TribalSystems/Zenario/commit/4566d8a9ac6755f098b3373252fdb17754a77007
• https://github.com/TribalSystems/Zenario/releases/tag/9.0.55141
• https://github.com/advisories/GHSA-x8wj-cqmp-3wmm