Full Report
Stored XSS (Cross-site Scripting) vulnerability has been found in authentik software.
Analysis Summary
# Vulnerability: Stored XSS in authentik via Crafted SVG Icon Uploads
## CVE Details
- CVE ID: CVE-2024-11623
- CVSS Score: Not explicitly provided, but XSS vulnerabilities are typically rated Medium to High.
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'))
## Affected Systems
- Products: authentik (goauthentik)
- Versions: All versions before 2024.10.4
- Configurations: Requires an authenticated attacker with administrative privileges to upload a malicious SVG file as an application icon.
## Vulnerability Description
The vulnerability is a Stored Cross-Site Scripting (XSS) flaw rooted in how authentik handles uploaded application icons. An attacker, possessing administrative privileges, can upload a specially crafted SVG file containing embedded malicious scripts. When another user accesses the application relying on this compromised icon, the embedded script executes in their browser context.
## Exploitation
- Status: PoC available (Implied by responsible disclosure process, though not explicitly confirmed as "in the wild")
- Complexity: Medium (Requires administrative authentication to upload the payload, but execution is client-side upon viewing)
- Attack Vector: Network
## Impact
- Confidentiality: High (Scripts can steal session tokens or unauthorized data accessible to the victim user.)
- Integrity: High (Scripts can modify data or perform actions on behalf of the victim user.)
- Availability: Low to Medium (Depends on the nature of the script, but usually minimal impact unless exploiting for denial of service.)
## Remediation
### Patches
- Patch Version: 2024.10.4 and later
### Workarounds
- No specific workarounds were detailed in the source material, but generally, restricting application icon uploads to trusted administrators or disabling custom icon uploads entirely would serve as a temporary measure until patching.
## Detection
- Indicators of Compromise: Monitoring application logs for uploads of `.svg` files to icon storage endpoints. Look for SVG content that contains `<script>`, `onload`, `onerror`, or other reflective/executable HTML tags.
- Detection Methods and Tools: Web Application Firewalls (WAFs) or endpoint security monitoring tools capable of inspecting file uploads for script payloads within image/vector formats.
## References
- Vendor Advisories: CERT Polska report documentation for CVE-2024-11623.
- Relevant links - defanged:
- hxxps://www.cve.org/CVERecord?id=CVE-2024-11623
- hxxps://cert.pl/en/news/
- hxxps://goauthentik.io/