CVE-2024-11623

Authentik project is vulnerable to Stored XSS attacks throughuploading crafted SVG files that are used as application icons.
This action could only be performed by an authenticated admin user.
The issue was fixed in2024.10.4 release.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
CERT-PLCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Common Weakness Enumeration
References
https://cert.pl/en/posts/2025/02/CVE-2024-11623/
https://docs.goauthentik.io/docs/security/audits-and-certs/2024-11-cobalt#svg-images-for-icons-possible-xss-vulnerability
https://github.com/goauthentik/authentik/pull/12092