# CVE-2025-56514: Cross Site Scripting (XSS) Vulnerability in Fiora Chat Application ## Overview A Cross Site Scripting (XSS) vulnerability, identified as **CVE-2025-56514**, affects the Fiora chat application version 1.0.0. This vulnerability allows an authenticated user to execute arbitrary JavaScript in the context of another user's browser by uploading a malicious SVG file through the group avatar change functionality. ## Vulnerability Details - **Vulnerability Type**: Cross Site Scripting (XSS) - **Attack Type**: Remote - **Impact**: Code Execution - **Affected Product Code Base**: Fiora 1.0.0 - **Vendor**: suisuijiang - **Discoverer**: Kaio Mendonca Pereira ## Affected Components The following components in the Fiora chat application are impacted: - **Backend**: `packages/server/src/routes/group.ts` (group management routes) - **Frontend**: - `packages/web/src/modules/Chat/GroupManagePanel.tsx` (group avatar upload interface) - `packages/web/src/service.ts` (API service layer) - `packages/web/src/components/Avatar.ts` (avatar rendering component) ## Attack Vectors An authenticated user with creator privileges in a group can exploit this vulnerability by: 1. Uploading a malicious SVG file containing embedded JavaScript via the "Change Group Avatar" functionality. 2. The malicious SVG is stored in the `/GroupAvatar/` directory. 3. When the SVG avatar is rendered by the `Avatar.tsx` component in another user's browser, the embedded JavaScript executes, enabling XSS exploitation. ## Steps to Reproduce 1. **Authentication**: Log in to the Fiora chat application with valid credentials. 2. **Access Target Group**: Navigate to group management and select a group where you have creator privileges. 3. **Upload Malicious SVG**: Use the "Change Group Avatar" feature to upload a malicious SVG file with embedded JavaScript, such as: ```xml