CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments.
Security readout for executives and security teams
Plain-English summary
CMDBuild 3.3.2 can store attacker-supplied script or HTML inside records or uploaded SVG attachments. Because CMDBuild supports operational asset and workflow data, this can expose users to session abuse or unauthorized actions when malicious content is viewed. The sources do not show active exploitation, but a public exploit reference exists.
Executive priority
Treat this as a moderate-priority application security issue. It is not listed as actively exploited, but it affects authenticated enterprise workflows and has public exploit information. Prioritize internet-facing or broadly accessible CMDBuild instances first.
Technical view
This is multiple stored cross-site scripting in CMDBuild 3.3.2, mapped to CWE-79. Authenticated attackers can inject web script or HTML through Employee card parameters or SVG attachments in the classes endpoint. The content is stored and later executes for users viewing affected records or previews. CVSS v3.1 is 6.4, with low privileges required and changed scope.
Likely exposure
Exposure is most likely where CMDBuild 3.3.2 is deployed and accessible to internal users, contractors, or customers with authenticated accounts. Public internet exposure increases business risk, but the source bundle only names CMDBuild 3.3.2 as affected and provides no CPEs or broader version range.
Exploitation context
The bundle includes an ExploitDB reference, so public exploit information exists. KEV is false, and no cited source in the bundle states active exploitation. Abuse requires authentication, but stored XSS can affect other users after malicious records or attachments are viewed.
Researcher notes
Evidence is limited to CMDBuild 3.3.2, stored XSS vectors in card creation and SVG attachment handling, CVSS 6.4, and public advisory/exploit references. The bundle does not name a fixed version, patch, CPE, or active exploitation. Avoid expanding affected versions without vendor confirmation.
Mitigation direction
Identify and prioritize any CMDBuild 3.3.2 instances.
Check CMDBuild vendor guidance and latest-version information for upgrade direction.
Restrict CMDBuild access to trusted authenticated users while assessing exposure.
Limit or disable SVG attachment handling if operationally feasible.
Review stored records and attachments for unexpected script or HTML content.
Validation and detection
Confirm deployed CMDBuild versions through asset inventory or application administration.
Check whether Employee card fields are writable by low-privileged authenticated users.
Check whether class attachment previews allow SVG content in affected workflows.
Review CMDBuild audit logs for suspicious record changes or file uploads.
Verify upgraded or hardened instances render stored input as inert content.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.