New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS (via SVG file upload) in CuppaCMS #3
Comments
|
Hi Team, Any updates regarding the patches. |
|
According to the specification, add <script> inside SVG is not considered a vulnerability and we can give support to it. If any person wants to disable upload .svg because consider that is a security risk, they can go to settings/file and remove it from allowed extensions. https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script |
|
SVG is a special case because even experienced admins may take them for sole |
|
Hi, Thanks |
Affected software: CuppaCMS
Type of vulnerability: XSS (via SVG file upload)
Discovered by: BreachLock
Website: https://www.breachlock.com
Author: Balvinder Singh
Description: SVG files can contain Javascript in <script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for an SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.
Proof of concept:
Step1: Login to the cuppa cms.
Step2: In the table manager section, add a new file and there is an upload option choose files and upload a malicious SVG file.
URL: http://localhost/cuppa_cms/administrator/#/component/table_manager/view/cu_views
Step3: Now open that file which was saved as 1.svg the below output will be shown.
URL: http://localhost/cuppa_cms/administrator/media/media/upload_files/1.svg executed

The text was updated successfully, but these errors were encountered: