Cross-site Scripting (XSS) - Stored in sylius/sylius

Valid

Reported on

Jul 5th 2021

✍️ Description

Open Source eCommerce Platform on Symfony this package vulnerable for stored xss thru svg files

🕵️‍♂️ Proof of Concept

po https://i.imgur.com/UNqIg8l.mp4

💥 Impact

This vulnerability is capable of XSS

Abdul muhaimin modified the report
a year ago
Abdul muhaimin modified the report
a year ago
We have contacted a member of the sylius team and are waiting to hear back a year ago
Łukasz
8 months ago

Maintainer

Hey Abdul,

thanks for submitting your ticket. For sure, we could sanitize svg files. However, can you provide an attack vector on how one would be able to take over the admin account? Regular users are not allowed to store any files in the default Sylius implementation. What is more, on your PoC you've used an admin account to upload the file. If the admin account is already compromised, this SVG XSS has for sure much lower severity.

Abdul muhaimin modified the report
8 months ago
Abdul muhaimin
8 months ago

Researcher

Hey @chrusciel

Sorry for that you are right the severity has been decreased as you said and a proper value

Abdul muhaimin modified the report
8 months ago
Abdul muhaimin modified the report
8 months ago
Łukasz Chruściel validated this vulnerability 8 months ago
Abdul muhaimin has been awarded the disclosure bounty
The fix bounty is now up for grabs
Łukasz Chruściel confirmed that a fix has been merged on 3da169 2 months ago
The fix bounty has been dropped
to join this conversation