Stored XSS viva .svg file upload in luyadev/luya-module-admin
Reported on
Apr 1st 2022
Description
The application allows .svg files to upload which leads to stored XSS.
Proof of Concept
1.Download the payload XSS.svg from below drive link and go to "Files".
2.Now click on "Add file" and upload the downloaded payload.
3.Then see the uploaded file details and open the file path once you open XSS will trigger (Link:- https://demo.luya.io/storage/xss_197a764d.svg)
Video PoC
https://drive.google.com/drive/folders/1TvitLP-w-hbVD44-csA7ZSASrhYlKQN1?usp=sharing
Impact
This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.
References
It looks like the maintainer has acknowledged the report, and so we will wait to see if we hear back from them shortly.
We do always have the 90-day timeline where we can make it public once this timeframe has elapsed post-submission.
this is not critical in your system, developers can upload svg's. its not a problem at all. We have changed the default settings now according to the issue, which will by default blackliste svg mime types. no CVE is required here!
@maintainar This is my another report similar as this report where severity is marked as critical: https://huntr.dev/bounties/b0c4f992-4ac8-4479-82f4-367ed1a2a826/
Okay no problem if you are not agree to assign CVE for this report but atleast you can validate the report and confirm the fix right?
As you said it is not critical for your system so I changed the severity to high @maintainer.
Its the wrong repository to confirm and validate the commit. Repo would be: https://github.com/luyadev/luya-module-admin
@admin can you please edit the repo to https://github.com/luyadev/luya-module-admin
@maintainer now can you please validate and confirm the fix for this report?