Stored XSS via SVG File in flatpressblog/flatpress
Valid
Reported on
Oct 4th 2022
Description
flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg.
Proof of Concept
<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>
- login to http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=default
- go to uploader and upload this svg file
- go to the media manager and click on the svg file or open from the direct link: http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=mediamanager http://demos4.softaculous.com/FlatPresseidiiohclz/fp-content/attachs/filename.svg
- XSS!
if you need more specific information, feel free to contact me.
Impact
If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.
We are processing your report and will contact the
flatpressblog/flatpress
team within 24 hours.
3 months ago
We have contacted a member of the
flatpressblog/flatpress
team and are waiting to hear back
3 months ago
We have sent a
follow up to the
flatpressblog/flatpress
team.
We will try again in 7 days.
3 months ago
We have sent a
second
follow up to the
flatpressblog/flatpress
team.
We will try again in 10 days.
3 months ago
We have sent a
third and final
follow up to the
flatpressblog/flatpress
team.
This report is now considered stale.
2 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation