Cross-site Scripting (XSS) - Stored in sergix44/xbackbone


Reported on

Jul 6th 2021

✍️ Description

Stored xss through file upload via a .svg file

🕵️‍♂️ Proof of Concept

Upload a .svg file with the following content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""><svg version="1.1" baseProfile="full" xmlns="">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">

give a name you want ending with .svg (store-xss.svg) for example and upload the file, after upload click on open alt text click on raw alt text see the stored-xss getting executed. alt text

💥 Impact

Possible to steal admin cookies or take over another account via cookie grepping.

💥 Remediation

Force the file to be downloaded instead of opening.

💥 References


We have contacted a member of the sergix44/xbackbone team and are waiting to hear back 2 years ago
sergix44/xbackbone maintainer
2 years ago

Hi! Thanks for your work. All the cookies used by XBB are set by the backend as http only. So no remember tokens or session token should be leaked with this attack. I'm going to make a patch, to return the svg as plain-text when using the raw mode. What do you think?

2 years ago


Hi thnx for the response. Yeah that would be great solution. An xss attack would not be possible

2 years ago


@maintainer Hi is it possible that you accept this as a bug ( as well as the other report) in that way i am getting paid through the platform

sergix44/xbackbone maintainer validated this vulnerability 2 years ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sergio Brighenti marked this as fixed with commit 840208 2 years ago
Sergio Brighenti has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago

Yah great work guys ...

For your interest with XSS we can do many things other than steal cookies..

just to want say somethings for get more information.

to join this conversation