[GHSA-mrw8-5368-phm3] Contao allows admin an account to upload SVG file containing malicious JavaScript

[zoglo]

Updates

• Affected products
• CVSS v3
• CVSS v4
• Severity

Comments
See reference GHSA-vqqr-fgmh-f626

[shelbyc]

Hi @zoglo, are GHSA-mrw8-5368-phm3/CVE-2024-45965 and GHSA-vqqr-fgmh-f626/CVE-2025-29790 the same vulnerability? If so, then one of the advisories should be withdrawn as a duplicate.

I propose the following course of action:

• Withdraw GHSA-mrw8-5368-phm3 as a duplicate of GHSA-vqqr-fgmh-f626. I want to keep GHSA-vqqr-fgmh-f626 because, when one advisory comes from the National Vulnerability Database and one comes from a repository GHSA, my teammates and I usually prefer to keep the repo GHSA.
• Reject one of the CVE IDs as a duplicate of the other. CVE-2024-45965, which was issued by MITRE, was issued before CVE-2025-29790, which was issued by GitHub. I can reject CVE-2025-29790 as a duplicate of CVE-2024-45965.
• Move CVE-2024-45965 from GHSA-mrw8-5368-phm3 to GHSA-vqqr-fgmh-f626 in the global advisories
• You or another maintainer of Contao replaces CVE-2025-29790 with CVE-2024-45965 in the repo advisory, GHSA-vqqr-fgmh-f626. (This is the only part that I can't do myself.)

Do you agree with gathering all of the information into one advisory? If so, do you agree with keeping the advisory ID GHSA-vqqr-fgmh-f626 and the CVE ID CVE-2024-45965?

[zoglo]

Hey @shelbyc
thank you for taking time to look into this matter :)

are GHSA-mrw8-5368-phm3/CVE-2024-45965 and GHSA-vqqr-fgmh-f626/CVE-2025-29790 the same vulnerability?

Yes, in a way it's a duplicate — GHSA-mrw8-5368-phm3 / CVE-2024-45965 wasn’t reported to us directly. We only became aware of it after it has been published in the database and it mentioned the "mono repository", not the affected repository.

This has not been treated as a security issue initially because it has been described that only admin users could abuse the vulnerability (users with admin privileges are within secure domain in a content management system).

The latter advisory GHSA-vqqr-fgmh-f626/CVE-2025-29790 was opened after GHSA-mrw8-5368-phm3 was closed and has been updated to include all vulnerable versions.

Would it be possible to flag
GHSA-mrw8-5368-phm3 / CVE-2024-45965 as the duplicate
and keep
GHSA-vqqr-fgmh-f626 / CVE-2025-29790 instead?

Or would you recommend to follow your documented course of action?

[shelbyc]

@zoglo Common practice is to keep the CVE that was published first, in this case CVE-2024-45965. The GitHub Advisory Database allows transferring of CVE IDs from one advisory to another, so it would be possible to transfer CVE-2024-45965 to GHSA-vqqr-fgmh-f626 and withdraw the alerts from GHSA-mrw8-5368-phm3.

However, if you and your teammates at Contao are more comfortable with using CVE-2025-29790 and keeping it together with GHSA-vqqr-fgmh-f626, that should be possible. I can advocate for your preference to MITRE and ask that CVE-2024-45965 be marked as a duplicate.

Edited to add: In the meantime, because you and I both want to keep GHSA-vqqr-fgmh-f626 and mark GHSA-mrw8-5368-phm3 as a duplicate, I will start the process of marking GHSA-mrw8-5368-phm3 as a duplicate now. 🙂

Even if we decide to use CVE-2024-45965 later, marking GHSA-mrw8-5368-phm3 as a duplicate now would make the process of transferring CVE-2024-45965 to GHSA-vqqr-fgmh-f626 easier in the future. Doing the deduplication still allows us to use either CVE-2025-29790 or CVE-2024-45965 for GHSA-vqqr-fgmh-f626, according to your preference.

[advisory-database]

Hi @zoglo! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!