CVE-2024-11623

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://cert.pl/en/posts/2025/02/CVE-2024-11623/	Third Party Advisory
https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability	Vendor Advisory
https://github.com/goauthentik/authentik/pull/12092	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*

History

21 Aug 2025, 18:41

Type	Values Removed	Values Added
References	~~() https://cert.pl/en/posts/2025/02/CVE-2024-11623/ -~~	() https://cert.pl/en/posts/2025/02/CVE-2024-11623/ - Third Party Advisory
References	~~() https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability -~~	() https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability - Vendor Advisory
References	~~() https://github.com/goauthentik/authentik/pull/12092 -~~	() https://github.com/goauthentik/authentik/pull/12092 - Issue Tracking, Patch
Summary		(es) El proyecto Authentik es vulnerable a ataques XSS almacenado mediante la carga de archivos SVG manipulados específicamente para usarse como íconos de aplicaciones. Esta acción solo la puede realizar un usuario administrador autenticado. El problema se solucionó en la versión 2024.10.4.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
First Time		Goauthentik Goauthentik authentik
CPE		cpe:2.3:a:goauthentik:authentik::::::::

04 Feb 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-04 14:15

Updated : 2025-08-21 18:41

NVD link : CVE-2024-11623

Mitre link : CVE-2024-11623

CVE.ORG link : CVE-2024-11623

JSON object : View

Products Affected

goauthentik

authentik

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-11623", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-04T14:15:30.480", "references": [{"url": "https://cert.pl/en/posts/2025/02/CVE-2024-11623/", "tags": ["Third Party Advisory"], "source": "cvd@cert.pl"}, {"url": "https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability", "tags": ["Vendor Advisory"], "source": "cvd@cert.pl"}, {"url": "https://github.com/goauthentik/authentik/pull/12092", "tags": ["Issue Tracking", "Patch"], "source": "cvd@cert.pl"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Authentik project is vulnerable to Stored XSS attacks through\u00a0uploading crafted SVG files that are used as application icons.\u00a0\nThis action could only be performed by an authenticated admin user.\nThe issue was fixed in\u00a02024.10.4 release."}, {"lang": "es", "value": "El proyecto Authentik es vulnerable a ataques XSS almacenado mediante la carga de archivos SVG manipulados espec\u00edficamente para usarse como \u00edconos de aplicaciones. Esta acci\u00f3n solo la puede realizar un usuario administrador autenticado. El problema se solucion\u00f3 en la versi\u00f3n 2024.10.4."}], "lastModified": "2025-08-21T18:41:13.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE680A3E-3961-45F9-BB43-BA7AE7825398", "versionEndExcluding": "2024.10.4"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}