CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#11871] XSS (via svg file upload)

avatar
Created By: Provensec Security (security-provensec)
Date Submitted: Wed Aug 08 03:04:11 -0400 2018

Assigned To:
Version: 2.2.8
CMSMS Version: 2.2.8
Severity: Major
Resolution: Invalid
State: Closed
Summary:
XSS (via svg file upload)
Detailed Description:
# Affected software: cmsms-2.2.8
 
# Type of vulnerability: XSS (via svg file upload)
 
# URL: https://www.cmsmadesimple.org
 
# Discovered by: BreachLock
# Website: https://www.breachlock.com
# Author: Balvinder Singh


Description: SVG files can contain Javascript in <script> tags. Browsers are
smart enough to ignore scripts embedded in SVG files included via IMG tags.
However, a direct request for a SVG file will result in the scripts being
executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the
code, but if a user clicks on the attachment the code will execute.

Proof of concept:
Step1: Login into the cmsms crm using the admin role.
Step2: In the file manager section choose file upload and upload a malicious svg
file.
Step3: Now open that file which was saved as 1.svg the below output will be
shown.

VulnerableURL: http://localhost/cmsms-2.2.8-install/uploads/1.svg


History

Comments
avatar 
Date: 2018-08-09 16:21
Posted By: Matt Hornsby (DIGI3) (DIGI3)

An admin can just add a script to their content or templates, why would they do
this?
avatar 
Date: 2018-08-11 09:46
Posted By: Robert Campbell (calguy1000)

Administrators have the ability to upload any file and link to it on their
website.   This is not a vulnerability.
avatar 
Date: 2018-08-13 05:34
Posted By: Provensec Security (security-provensec)

SVG is a special case because even experienced admins may take them for sole
vector images and are unaware, or simply forget about the possibility of
malicious scripts in them.

It is exploitable, hence it is a vulnerability.
avatar 
Date: 2018-08-29 08:23
Posted By: Provensec Security (security-provensec)

Hi,

Will this be patched in your coming release.
Looking forward to hearing from you.
Updates

Updated: 2020-11-03 14:38
state: Open => Closed

Updated: 2019-01-14 01:51
description: # Affected software: cmsms-2.2.8 # Type of vulnerability: XSS (via svg file upload) # URL: https://www.cmsmadesimple.org # Discovered by: Provensec # Website: http://www.provensec.com # Author: Balvinder Singh Description: SVG files can => # Affected software: cmsms-2.2.8 # Type of vulnerability: XSS (via svg file upload) # URL: https://www.cmsmadesimple.org # Discovered by: BreachLock # Website: https://www.breachlock.com # Author: Balvinder Singh Description: SVG files

Updated: 2018-08-11 09:46
resolution_id: => 9