This repository has been archived by the owner on Jan 5, 2023. It is now read-only.
Cross Site Scripting (XSS) #53
Comments
|
@patkon |
|
I think the best solution will be to remove SVG support from the core. Maybe I will write an addon to enable secure SVG upload later. |
|
yes. That is the good idea for this issue! |
patkon
added a commit
that referenced
this issue
Aug 18, 2021
These file types must be sanatized before uploading. #53
|
Hello friends, the problem is still there and still critical! Proof SXX Stored:Proof=PHPSSESID:
Please fix this problem and be more focused and responsible!BR @nu11secur1ty System Administrator - Infrastructure and Penetration testing Engineer. |
|
Thank you for reporting. I've just released Version 2.0.8. From this version on there is no more SVG and XML upload. |
|
Ok, thank you. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
Cross Site Scripting (XSS) via upload image function
To Reproduce
Steps to reproduce the behavior:
Screenshots

xss.svg
Desktop (please complete the following information):
Additional context
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user
The text was updated successfully, but these errors were encountered: