-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-7265 - Stored XSS vulnerability resulting from improper handling of uploaded SVG files #631
Comments
By "visiting the full image" I assume you mean the image URL is in the browser address bar (As opposed to visiting the page which embeds the image?). We're using I'll get researching mitigations for that, though suggestions are welcome if you know of any off the top of your head. Thanks for the report either way :) |
paragonie/airship@7c9df9a Is how they handled svg files executing JS. Yes, the embedded page on it's own won't execute but seeing the image directly would allow execution of JS in the context of DOM. I'll be requesting a CVE for this issue as well. |
This has been assigned CVE-2018-7265 |
I believe this to be fixed in the develop branch in bc68137: Uploaded file:
File served to users:
Backported to master in 60d693d |
Alright I'll check if it's possible to bypass the solution or not. |
Seems secure. I did some testing against the sanitize and I wasn't able to effectively come up with a manner to exploit it. |
Cool, thanks again for making the world a safer place :) |
During testing of your project, I came across a stored XSS vulnerability that stems from lack of sanitizing and checking integrity of SVG files being uploaded to the server
Reproduction is quite easy as all it requires is going to the image upload feature, then selecting our crafted svg file then visiting the full image to receive the alert.
Svg file code:
https://ghostbin.com/paste/xkj2o
The text was updated successfully, but these errors were encountered: