Overview
A cross-site scripting (XSS) vulnerability has been identified in CMSimple_XH version 1.7.6. This vulnerability allows authorized users to upload SVG files containing malicious JavaScript code. The issue stems from inadequate validation and sanitization of uploaded SVG files within the file upload functionality of the application.
Vulnerability Details
- CVE Identifier: CVE-2024-34452
- Severity: Medium
- Affected Version: CMSimple_XH 1.7.6
Description
The vulnerability exists due to the application's failure to properly validate and sanitize SVG files uploaded by users. An attacker can exploit this flaw by uploading a specially crafted SVG file containing malicious JavaScript code. When the uploaded SVG file is accessed by other users, the injected JavaScript code executes within their browsers in the context of the CMSimple_XH application. This can lead to various XSS attacks.
Impact
Successful exploitation of this vulnerability could enable an attacker to:
- Steal session cookies
- Compromise user accounts
- Perform unauthorized actions on behalf of legitimate users
Proof of Concept
An example of a malicious SVG code that triggers an alert with the document's cookies:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>Steps to Reproduce
- Log in to the CMSimple_XH application as an authorized user.
- Navigate to the file upload functionality.
- Upload the malicious SVG file (xss.svg) provided in the Proof of Concept section.
- Access the uploaded SVG file within the application.
- Observe the execution of the JavaScript code and the alert displaying the document's cookies.
Screenshots
Acknowledgements: This vulnerability was discovered and reported by Suraj Theekshana.