Cross-site Scripting (XSS) - Reflected in cloudreve/Cloudreve

Valid
Reported on May 21st 2021

💥 BUG

XSS via svg file upload

💥 SUMMURY

Cloudreve allow any user to sign up for an account .
So, using this xss attacker can attack other user .
Cloudreve dont sanitize the svg file and svg file may contain javascript and here it rendering the svg file .

💥 ACCOUNT

1. admin-->user A -->attacker.
2. user -->user B --->victim

💥 STEP TO REPRODUCE

1. From admin(user A) goto account and upload a svg file with xss payload .
2. Now share this link like http://localhost:5212/api/v3/share/preview/vXFJ.
3. Now when user B open this link then xss is executed.\

💥 VIDEO

https://drive.google.com/file/d/1k-lyLfeSSlCunX_LuZiZDCIY6UT-wokB/view?usp=sharing

💥 IMPACT

one user can attack other user using xss attack