Cross-site Scripting (XSS) - Stored in sylius/sylius
Jul 5th 2021
Open Source eCommerce Platform on Symfony this package vulnerable for stored xss thru svg files
🕵️♂️ Proof of Concept
This vulnerability is capable of XSS
thanks for submitting your ticket. For sure, we could sanitize svg files. However, can you provide an attack vector on how one would be able to take over the admin account? Regular users are not allowed to store any files in the default Sylius implementation. What is more, on your PoC you've used an admin account to upload the file. If the admin account is already compromised, this SVG XSS has for sure much lower severity.
Sorry for that you are right the severity has been decreased as you said and a proper value