We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Stored Cross-site Scripting (XSS) via SVG file upload in courses. in gunet/openeclass

Valid

Reported on

Jun 14th 2022

Description

An attacker can upload and store a malicious SVG file in work forms and execute client side JavaScript code when opened.

Replication Steps and Proof of Concept

We create a file named file.svg containing the following:

<svg width="100%" height="100%" viewBox="0 0 100 100"
     xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="45" fill="green"
          id="foo"/>
  <script type="text/javascript">
    // <![CDATA[
      alert("XSS");
   // ]]>
  </script>
</svg>

We upload the file in an active work assignment inside any course.

poc1

Clicking the following link results in the following code execution:

poc2

Impact

An attacker can execute code and act as his assigned supervisor/teacher therefore performing any actions his supervisor could do for example changing grades, reading, writing and deleting unauthorized files, upload and remove content etc.

We are processing your report and will contact the gunet/openeclass team within 24 hours. a year ago
We have contacted a member of the gunet/openeclass team and are waiting to hear back a year ago
Alexandros Diamantidis validated this vulnerability a year ago

Thank you for the report! We will remove SVG from the student upload whitelist in our next release (3.13), due for release in the next couple of days.

Thanos Apostolidis has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the gunet/openeclass team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the gunet/openeclass team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the gunet/openeclass team. This report is now considered stale. a year ago
Alexandros Diamantidis marked this as fixed in 3.13 with commit 26f952 a year ago
Alexandros Diamantidis has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation