Stored XSS via SVG Upload in omeka/omeka-s


Reported on

Jul 16th 2023


By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user.

Proof of Concept

Log in to the administrator screen, access the Assets page, and upload the SVG file.


POST /admin/asset/add HTTP/1.1
Content-Disposition: form-data; name="file"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">
<svg version="1.1" baseProfile="full" xmlns="">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">

Execution Result


PoC Video


Always filter files, limit the content type of uploaded files, and properly sanitize content.


Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware.
Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions.
Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage.
It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 2 months ago
We have contacted a member of the omeka/omeka-s team and are waiting to hear back 2 months ago
omeka/omeka-s maintainer has acknowledged this report 2 months ago
2 months ago


Thank you for reviewing and approving my report. I will continue to wait for requests for fixes and CVEs.

John Flatness validated this vulnerability 2 months ago
morioka12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
2 months ago


@zerocrates Thanks for the fix and pull merge. Could you please submit a corrected mark and CVE assignment request?

John Flatness marked this as fixed in 4.0.2 with commit 27ff65 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
John Flatness published this vulnerability 2 months ago
to join this conversation