Version impacted
v1.11.4 Vulnerability details(POC)
The file with the suffix .svg saves the following code. After uploading to the server, you can execute any js code. If the ordinary user has permission to upload files, the administrator user accidentally accesses the malicious svg uploaded by the user, then the ordinary user. It is possible to obtain the cookie information of the administrator user, resulting in an increase in the rights of the ordinary user. It is dangerous for the system to allow uploading svg files.
Access the file and find that malicious code has been executed Vulnerability related code
The media_uploadAction function in /src/core/controllers/admin.php allows uploading svg files
Version impacted
v1.11.4
Vulnerability details(POC)
The file with the suffix .svg saves the following code. After uploading to the server, you can execute any js code. If the ordinary user has permission to upload files, the administrator user accidentally accesses the malicious svg uploaded by the user, then the ordinary user. It is possible to obtain the cookie information of the administrator user, resulting in an increase in the rights of the ordinary user. It is dangerous for the system to allow uploading svg files.
Access the file and find that malicious code has been executed
Vulnerability related code
The media_uploadAction function in /src/core/controllers/admin.php allows uploading svg files
Repair suggestion
Remove svg files from the list
The text was updated successfully, but these errors were encountered: