Stored XSS via SVG File in inventree/inventree
Reported on
Sep 16th 2022
Description
By uploading SVG files, the users can perform Stored XSS attack.
Copy the following code and save as filename.svg.
Proof of Concept
<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>
[1] Login as user with upload permission.
[2] upload the payload injected SVG file at https://demo.inventree.org/order/sales-order/3/
[3] Copy the uploaded svg file url and open in new tab. (every logged user can access to this url)
[4] XSS ! (https://demo.inventree.org/media/so_files/3/yourfile.svg)
if you need more specific information, feel free to contact me.
Impact
If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.
Thank you for your report @mike993! Do you have a suggestion for good svg validation in Django?
in my experience, i used these two libraries:
- https://github.com/mattkrick/sanitize-svg (easier, with example client and server side)
- https://github.com/clones/html5lib/blob/master/python/src/html5lib/sanitizer.py (can be used also with html tag)
I hope I was helpful.
@mike993 thanks for the hints, a possible fix is being reviewed now.
Happy to assign a CVE once we get the go-ahead from the maintainer 👍
@admin go-ahead from my side for a CVE. The fix is released and already deployed on the bigger deployments