Cross-site Scripting (XSS) - Stored in chevereto/chevereto-freeValid
Jul 17th 2021
Stored xss via image upload
latest github code as of 16/7/21
🕵️♂️ Proof of Concept
1. First download
https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert(123)%3E.jpeg image file in linux . Dont change the file name . This type file can be created in linux .
2. Now goto your account in chevereto
http://localhost/Chevereto-Free/upload and upload above image .
3. Now image url will be genereated like
4. When any user open this url then xss is executed .\
i have uploaded a demo file to
Your paid version may also vulnerable to this attack
XSS bug 📍 Location index.php#L18