We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Stored XSS Via SVG Upload in kiwitcms/kiwi

Valid

Reported on

May 23rd 2023

Description

I've found a Stored XSS via uploading SVG file with the following content:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>

Proof of Concept

https://drive.google.com/file/d/16HC08PPqAHZuubz-1IMJYZSETpTQZOzA/view?usp=sharing

Impact

Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware. Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions. Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage. It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.

References

https://huntr.dev/bounties/19470f0b-7094-4339-8d4a-4b5570b54716/

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. 4 months ago

We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 4 months ago

Alexander Todorov validated this vulnerability 4 months ago

M Nadeem Qazi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Alexander Todorov Alexander

commented 4 months ago

Maintainer

Our team will be working on a fix immediately. Stay tuned for updates.

commented 4 months ago

Researcher

Ok Thanks. @maintainer, Can I get a CVE for this?

Alexander Todorov marked this as fixed in 12.4 with commit d789f4 4 months ago

Alexander Todorov has been awarded the fix bounty

This vulnerability will not receive a CVE

Alexander Todorov published this vulnerability 4 months ago

Alexander Todorov Alexander

commented 4 months ago

Maintainer

CVE number and additional information is handled via GitHub, see https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98

commented 3 months ago

Researcher

Thanks @Alexander_Todorov

commented 3 months ago

Researcher

Hi @admin, this report has assigned CVE by github which is CVE-2023-33977.

Can you please update it here.

Alexander Todorov Alexander

commented 3 months ago

Maintainer

No. huntr.dev doesn't allow assignment of external CVE IDs. It's a limitation of the platform.

commented 3 months ago

Researcher

Ok thanks for the info.

to join this conversation

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. 4 months ago

We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 4 months ago

Alexander Todorov validated this vulnerability 4 months ago

M Nadeem Qazi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Alexander Todorov Alexander

commented 4 months ago

Maintainer

Our team will be working on a fix immediately. Stay tuned for updates.

commented 4 months ago

Researcher

Ok Thanks. @maintainer, Can I get a CVE for this?

Alexander Todorov marked this as fixed in 12.4 with commit d789f4 4 months ago

Alexander Todorov has been awarded the fix bounty

This vulnerability will not receive a CVE

Alexander Todorov published this vulnerability 4 months ago

Alexander Todorov Alexander

commented 4 months ago

Maintainer

CVE number and additional information is handled via GitHub, see https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98

commented 3 months ago

Researcher

Thanks @Alexander_Todorov

commented 3 months ago

Researcher

Hi @admin, this report has assigned CVE by github which is CVE-2023-33977.

Can you please update it here.

Alexander Todorov Alexander

commented 3 months ago

Maintainer

No. huntr.dev doesn't allow assignment of external CVE IDs. It's a limitation of the platform.

commented 3 months ago

Researcher

Ok thanks for the info.

to join this conversation