Cross-site Scripting (XSS) - Stored in kalcaddle/KodExplorer

Valid
Reported on May 12th 2021

✍️ Description

SVG files can be uploaded to the server which can cause Stored XSS vulnerability since SVG files can contain JavaScript payloads which can cause XSS.

🕵️‍♂️ Proof of Concept

  1. Login into http://demo.kodcloud.com with demo:demo as username and password (Kodcloud uses https://github.com/kalcaddle/KodExplorer)
  2. Right click, "Upload Files" and upload SVG files containing XSS payload
  3. View the file and XSS will execute

💥 Impact

Session stealing, SOP bypass and many more.