Stored Cross-site Scripting (XSS) via SVG file upload in courses. in gunet/openeclass

Valid

Reported on

Jun 14th 2022


Description

An attacker can upload and store a malicious SVG file in work forms and execute client side JavaScript code when opened.

Replication Steps and Proof of Concept

We create a file named file.svg containing the following:

<svg width="100%" height="100%" viewBox="0 0 100 100"
     xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="45" fill="green"
          id="foo"/>
  <script type="text/javascript">
    // <![CDATA[
      alert("XSS");
   // ]]>
  </script>
</svg>

We upload the file in an active work assignment inside any course.

poc1

Clicking the following link results in the following code execution:

poc2

Impact

An attacker can execute code and act as his assigned supervisor/teacher therefore performing any actions his supervisor could do for example changing grades, reading, writing and deleting unauthorized files, upload and remove content etc.

We are processing your report and will contact the gunet/openeclass team within 24 hours. 2 months ago
We have contacted a member of the gunet/openeclass team and are waiting to hear back 2 months ago
Alexandros Diamantidis validated this vulnerability 2 months ago

Thank you for the report! We will remove SVG from the student upload whitelist in our next release (3.13), due for release in the next couple of days.

Thanos Apostolidis has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the gunet/openeclass team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the gunet/openeclass team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the gunet/openeclass team. This report is now considered stale. a month ago
Alexandros Diamantidis confirmed that a fix has been merged on 26f952 10 days ago
Alexandros Diamantidis has been awarded the fix bounty
to join this conversation