CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-11623: Stored XSS in authentik

4.8 CVSS

Description

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons.
This action could only be performed by an authenticated admin user.
The issue was fixed in 2024.10.4 release.

Classification

CVE ID: CVE-2024-11623

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.8

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Products

Vendor: goauthentik

Product: authentik

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.33% (scored less or equal to compared to others)

EPSS Date: 2025-03-05 (when was this score calculated)

References

https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability
https://github.com/goauthentik/authentik/pull/12092
https://cert.pl/en/posts/2025/02/CVE-2024-11623/

Timeline

2025-02-05 00:30:10 UTC
CVE

Stored XSS in authentik