CVE-2021-47955 Exploit Db CVE debrief

Who should care

CouchCMS administrators, developers, and security teams responsible for instances that allow authenticated file uploads, especially where SVG content can be stored and later viewed in a browser.

Technical summary

The vulnerability is a CWE-79 cross-site scripting flaw in CouchCMS 2.2.1 tied to SVG uploads via browse.php. According to the supplied description, an authenticated attacker can upload an SVG containing script tags, and the script executes when the file is accessed or previewed. The NVD metadata also lists the weakness as CWE-79 and provides a CVSS v4.0 vector indicating network access, low attack complexity, required user interaction, and scope impacts limited to subsequent component effects.

Defensive priority

Medium. Address promptly if your deployment permits authenticated users to upload or preview SVG files, because the attack can lead to browser-side script execution in affected user sessions.

Recommended defensive actions

• Review whether SVG uploads are necessary; disable them if they are not required.
• Add server-side validation and sanitization for uploaded SVG content.
• Serve user-uploaded files with safe content-disposition and appropriate MIME handling to reduce browser execution risk.
• Restrict who can upload files and limit access to preview or browse functionality.
• Check for vendor updates, mitigations, or hardening guidance for CouchCMS 2.2.1.
• Audit access logs for suspicious SVG uploads and unexpected preview activity.

Evidence notes

The debrief is based only on the supplied CVE description and NVD metadata. The source corpus states that the issue affects CouchCMS 2.2.1, involves malicious SVG uploads through browse.php, and is classified as CWE-79. References supplied with the record include the CouchCMS repository, an Exploit-DB exploit page, and a VulnCheck advisory URL; these were used only as source references, not as a basis for adding unsupported details.

Official resources