UliCMS 2023.1 Stored Cross-Site Scripting via SVG File Upload

Advisories

severity: medium
date: December 17, 2025
Affecting: Ulicms 2023.1
CVE: CVE-2023-53925
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-51435
Archived Product Webpage
Credit: Mirabbas Ağalarov
Description: UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.