Stored XSS Via SVG Upload in kiwitcms/kiwi

Valid

Reported on

May 23rd 2023


Description

I've found a Stored XSS via uploading SVG file with the following content:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>

Proof of Concept

https://drive.google.com/file/d/16HC08PPqAHZuubz-1IMJYZSETpTQZOzA/view?usp=sharing

Impact

Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware. Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions. Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage. It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. 9 months ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 9 months ago
Alexander Todorov validated this vulnerability 9 months ago
mnqazi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alexander
9 months ago

Maintainer


Our team will be working on a fix immediately. Stay tuned for updates.

M Nadeem Qazi
9 months ago

Researcher


Ok Thanks. @maintainer, Can I get a CVE for this?

Alexander Todorov marked this as fixed in 12.4 with commit d789f4 9 months ago
Alexander Todorov has been awarded the fix bounty
This vulnerability has now been published 9 months ago
Alexander
9 months ago

Maintainer


CVE number and additional information is handled via GitHub, see https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2fqm-m4r2-fh98

M Nadeem Qazi
9 months ago

Researcher


Thanks @Alexander_Todorov

M Nadeem Qazi
9 months ago

Researcher


Hi @admin, this report has assigned CVE by github which is CVE-2023-33977.

Can you please update it here.

Alexander
9 months ago

Maintainer


No. huntr.dev doesn't allow assignment of external CVE IDs. It's a limitation of the platform.

M Nadeem Qazi
9 months ago

Researcher


Ok thanks for the info.

to join this conversation