Search criteria
1 vulnerability by SESAME LABS S.L
CVE-2025-41084 (GCVE-0-2025-41084)
Vulnerability from cvelistv5 – Published: 2026-01-20 09:14 – Updated: 2026-01-29 11:33
VLAI?
Title
Stored Cross-Site Scripting (XSS) in Sesame web application
Summary
Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the 'logo' parameter in '/api/v3/companies/<ID>/logo', which are then stored on the server and executed in the context of any user who accesses the compromised resource.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SESAME LABS S.L | Sesame |
Affected:
all versions
|
Credits
Miguel Jiménez Cámara
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:42:36.165798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:42:43.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sesame",
"vendor": "SESAME LABS S.L",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sesame_labs_s.l:sesame:all_versions:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miguel Jim\u00e9nez C\u00e1mara"
}
],
"datePublic": "2026-01-20T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the \u0027logo\u0027 parameter in \u0027/api/v3/companies/\u0026lt;ID\u0026gt;/logo\u0027, which are then stored on the server and executed in the context of any user who accesses the compromised resource.\u003cbr\u003e"
}
],
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the \u0027logo\u0027 parameter in \u0027/api/v3/companies/\u003cID\u003e/logo\u0027, which are then stored on the server and executed in the context of any user who accesses the compromised resource."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T11:33:18.995Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-sesame-web-application"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sesame has implemented corrective measures at both the backend and frontend levels. In addition, previously uploaded files have been reviewed. Currently, the system completely blocks the upload of SVG files, and existing content has been cleaned up, rendering the vulnerability fixed."
}
],
"value": "Sesame has implemented corrective measures at both the backend and frontend levels. In addition, previously uploaded files have been reviewed. Currently, the system completely blocks the upload of SVG files, and existing content has been cleaned up, rendering the vulnerability fixed."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting (XSS) in Sesame web application",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41084",
"datePublished": "2026-01-20T09:14:40.629Z",
"dateReserved": "2025-04-16T09:09:35.597Z",
"dateUpdated": "2026-01-29T11:33:18.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}