FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| FormCMS(NuGet) | 0 | 0.5.7 | N/A |
CVSS Metrics
