New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored Cross Site Scripting via SVG image upload in Gallery Functionality #587
Comments
|
Any Update |
|
Hi, we are currently discussing if this issue is relevant. As users of roles lesser than Root Administrator are able to edit HTML source code, they are allowed to add script tags to pages anyway. No need to use any SVG for that. |
|
Ok. I'll agree with you. |
|
We take this issue very seriously! However, we have to find a way to make sure to have a balance so that users still can use this SVG feature if they need it, while at the same time prevent users (that have an editor account on the system) can not upload "malicious" content. |
|
Absolutely right. Implementation of validation on uploaded SVG content will reduce the risk. Try to avoid uploading an SVG which is having malicious script tags or perform additional checks while displaying the SVG Content back on application. |
|
Hi, Can i get exact ETA for this fix. |
|
We are still considering the best way to proceed here. We normally do not like to modify content uploaded by registered users. Perhaps the better option is to allow only “trusted” users to upload content anyway. |
|
We decided to refrain from changing the handling of SVG images. OpenCms administrators have the option to assign the right to upload resources to trusted users only. The same way, they may allow trusted users to add JavaScript directly to a page. |
|
No, that is not related. This issue concerns SVG files uploaded into OpenCms by registered users. |
|
@aKandzior was this issue ever addressed? and if so could you kindly point out where it was fixed? Cheers ! |
|
Please see the comment from @tHerrmann dated Sep. 25 2018 above. |
|
@aKandzior understood. |
|
I have submitted a request for rejection to MITRE with the following description: CVE-2018-8811 is linked to https://www.exploit-db.com/exploits/44392 Rational for rejection: The uploaded content is stored in the CMS content repository "as is". It should be pointed out that to exploit the "issue", a user must have an account (!) in the CMS as a content manager. Moreover, uploads and other changes in the CMS content repository are logged with the user name / id. https://www.exploit-db.com/exploits/44392 |
Dear Team, i would like to report persistent xss vulnerability in latest release. Mitre.org assigned a CVE ID for this.
Description:
Cross Site Scripting (XSS) Vulnerability in Gallery functionality in OpenCMS 10.5.3 allows remote attackers to execute arbitrary web script via crafted svg image.
Steps to Reproduce:
Fix:
Input file validation
Affected Version:
10.5.3 latest release
The text was updated successfully, but these errors were encountered: