CVE-2024-11623

EUVD-2024-34415
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. 
This action could only be performed by an authenticated admin user.
The issue was fixed in 2024.10.4 release.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
Affected Products (NVD)
VendorProductVersion
goauthentikauthentik
𝑥
< 2024.10.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert.pl/en/posts/2025/02/CVE-2024-11623/
https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability
https://github.com/goauthentik/authentik/pull/12092