Cross-site Scripting (XSS) - Stored in apostrophecms/apostrophe
Jul 29th 2021
✍️ Description :
An attacker could upload a specially crafted SVG image containing malicious scripting code. When following a link to this image, the code would be executed.
🕵️♂️ Proof of Concept :
// PoC.js var payload = ... Link POC using Demo --> https://demo-ckrp2ycbk01etdvxw1myanric.apostrophecmsdemo.org/uploads/ckrp2ycbk01etdvxw1myanric/attachments/ckrp2ze0p01eydvxw81sbtqk4-xss-xml-svg-font-example-poc.svg
💥 Impact :
\.. This vulnerability is capable of... steal user session , takeover user account , make redirect user to attacker controlled site ...//