Bypassing SVG content cleaning lead to Stored XSS in microweber/microweber


Reported on

Jun 29th 2022


the application is accepting SVG files as an image and applies a sanitize on the SVG content to avoid XSS attacks using the following snippet of code

} else if ($ext === 'svg') {

    if (is_file($filePath)) {
        $sanitizer = new \enshrined\svgSanitize\Sanitizer();
        // Load the dirty svg
        $dirtySVG = file_get_contents($filePath);
            // Pass it to the sanitizer and get it back clean
        $cleanSVG = $sanitizer->sanitize($dirtySVG);
        file_put_contents($filePath, $cleanSVG);

    $valid = true;

the main point here is if the extension is svg the cleaning will happen so I could bypass it by uploading a file with the extension name Svg not svg just by making the s capital letter this will break the if statement and will bypass the cleaning of XSS payloads.

The following is the content used as a XSS payload

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""><svg version="1.1" baseProfile="full" xmlns="">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">

to get the uploading request you can use any uploading function like the one in this page to upload image to the page the request sent to /plupload


This finding could be used to execute JS code on the users who will open the link of the SVG file.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov validated this vulnerability a year ago
Mohamed Sayed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.19 with commit 9ebbb4 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation