Cross-site scripting (XSS) via SVG image upload #2404
Description
Description
Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the File Management module of FluentCMS. The vulnerability allows an authenticated administrator to upload SVG files containing malicious JavaScript code. This code is executed in the user's browser whenever the URL of the uploaded image is accessed.
Details
The application allows authenticated administrators to upload SVG files via the File Management module without proper sanitization. Since SVG files can contain embedded JavaScript, the malicious code executes automatically when the image is rendered in a browser. Because files are stored in a public directory and served without restrictive security headers, the XSS executes for any user accessing the file URL, including unauthenticated visitors.
PoC
To replicate this vulnerability:
- Log in to the FluentCMS admin panel.
- Navigate to File Management
- Upload SVG file
- Path to file in request
- Observe that the JavaScript code executes in the browser.
Impact
This could lead to unauthorized actions, UI manipulation, or redirecting users to malicious external websites.
Note
This public disclosure is being made after coordinating with the team