Stored XSS viva .svg file upload in luyadev/luya-module-admin

Valid

Reported on

Apr 1st 2022


Description

The application allows .svg files to upload which leads to stored XSS.

Proof of Concept

1.Download the payload XSS.svg from below drive link and go to "Files".

2.Now click on "Add file" and upload the downloaded payload.

3.Then see the uploaded file details and open the file path once you open XSS will trigger (Link:- https://demo.luya.io/storage/xss_197a764d.svg)

Video PoC

https://drive.google.com/drive/folders/1TvitLP-w-hbVD44-csA7ZSASrhYlKQN1?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

References

We are processing your report and will contact the luyadev/luya-module-admin team within 24 hours. 3 months ago
SAMPRIT DAS modified the report
3 months ago
We have contacted a member of the luyadev/luya-module-admin team and are waiting to hear back 3 months ago
We have sent a follow up to the luyadev/luya-module-admin team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the luyadev/luya-module-admin team. We will try again in 10 days. 2 months ago
luyadev/luya-module-admin maintainer has acknowledged this report 2 months ago
SAMPRIT DAS
2 months ago

Researcher


@admin any update on this report?

Jamie Slome
a month ago

Admin


It looks like the maintainer has acknowledged the report, and so we will wait to see if we hear back from them shortly.

We do always have the 90-day timeline where we can make it public once this timeframe has elapsed post-submission.

Basil
a month ago

Maintainer


this is not critical in your system, developers can upload svg's. its not a problem at all. We have changed the default settings now according to the issue, which will by default blackliste svg mime types. no CVE is required here!

Basil
a month ago

Maintainer


  • this is not critical in OUR system
SAMPRIT DAS
a month ago

Researcher


@maintainar This is my another report similar as this report where severity is marked as critical: https://huntr.dev/bounties/b0c4f992-4ac8-4479-82f4-367ed1a2a826/

Okay no problem if you are not agree to assign CVE for this report but atleast you can validate the report and confirm the fix right?

SAMPRIT DAS modified the report
a month ago
SAMPRIT DAS
a month ago

Researcher


As you said it is not critical for your system so I changed the severity to high @maintainer.

Basil
a month ago

Maintainer


Its the wrong repository to confirm and validate the commit. Repo would be: https://github.com/luyadev/luya-module-admin

SAMPRIT DAS
a month ago

Researcher


@admin can you please edit the repo to https://github.com/luyadev/luya-module-admin

Jamie Slome
a month ago

Admin


Sorted 👍

SAMPRIT DAS
a month ago

Researcher


@maintainer now can you please validate and confirm the fix for this report?

Basil validated this vulnerability a month ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Basil confirmed that a fix has been merged on d08b7d a month ago
Basil has been awarded the fix bounty
to join this conversation