toeverything AFFiNE Avatar Upload Image Endpoint cross site scripting

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2025-11945

Source VulDB

Published Oct 19, 2025 at 21:02

Affected Product

Vendor toeverything

Product AFFiNE

Version 0.24.0

Affected Versions toeverything AFFiNE 0.24.0
toeverything AFFiNE 0.24.1

CWE Classification

CWE-79 CWE-94

References

{
    "lastseen": "",
    "description": "A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2025-10-19T21:02:06.115Z",
    "modified": "2025-10-19T21:02:06.115Z",
    "type": "cve",
    "title": "toeverything AFFiNE Avatar Upload Image Endpoint cross site scripting",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.329025\nhttps://vuldb.com/?ctiid.329025\nhttps://vuldb.com/?submit.670888\nhttps://drive.google.com/file/d/1L6gX0GY8cE9rS6o50oJzuMRPVMerFQNS",
    "id": "CVE-2025-11945",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "toeverything AFFiNE 0.24.0\ntoeverything AFFiNE 0.24.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AFFiNE",
    "version": "0.24.0",
    "vendor": "toeverything",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

toeverything AFFiNE Avatar Upload Image Endpoint cross site scripting_CVE-2025-11945