XSS when viewing SVG attachments in Filr

A cross site scripting vulnerability exists in versions of Filr prior to Filr 2.0 HP3 that may lead to the execution of javascript when an authenticated user views certain types of documents with malicious content. A remote attacker would also require authentication in order to place these documents into Filr and then would need to coerce another user to view the content of the document. Successful exploitation of this vulnerability could lead to session compromise or enable other browser based attacks.

A fix for this issue is available in the Filr 2.0 Hot Patch 3, available via the Novell Patch Finder.

If you're running Filr 1.2 or older, please upgrade to the Filr 2.0 Hot Patch 3.