Stored XSS via SVG File in flatpressblog/flatpress

Valid

Reported on

Oct 4th 2022


Description

flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading SVG files, the users can perform Stored XSS attack. Copy the following code and save as filename.svg.

Proof of Concept

<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>
  1. login to http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=default
  2. go to uploader and upload this svg file
  3. go to the media manager and click on the svg file or open from the direct link: http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=mediamanager http://demos4.softaculous.com/FlatPresseidiiohclz/fp-content/attachs/filename.svg
  4. XSS!

if you need more specific information, feel free to contact me.

Impact

If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. 3 months ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back 3 months ago
We have sent a follow up to the flatpressblog/flatpress team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the flatpressblog/flatpress team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the flatpressblog/flatpress team. This report is now considered stale. 2 months ago
flatpressblog/flatpress maintainer validated this vulnerability 22 days ago
Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 742f8b 22 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
flatpressblog/flatpress maintainer published this vulnerability 22 days ago
to join this conversation