Cross-site Scripting (XSS) - Stored in kalcaddle/KodExplorer

Reported on May 12th 2021

✍️ Description

SVG files can be uploaded to the server which can cause Stored XSS vulnerability since SVG files can contain JavaScript payloads which can cause XSS.

🕵️‍♂️ Proof of Concept

  1. Login into with demo:demo as username and password (Kodcloud uses
  2. Right click, "Upload Files" and upload SVG files containing XSS payload
  3. View the file and XSS will execute

💥 Impact

Session stealing, SOP bypass and many more.