Headline
CVE-2022-2495: Stored XSS via SVG File in microweber
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
Description
By uploading SVG files, the users can perform Stored XSS attack.
Payload
Copy the following code and save as filename.svg. <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>
Proof of Concept
[1] Login as admin.
[2] upload the payload injected SVG file at https://demo.microweber.org/demo/admin/view:modules/load_module:files
[3] Copy the uploaded svg file url and open in new tab.
[4] XSS!
Impact
If an attacker can execute the script in the victim’s browser via SVG file, they might compromise that user by stealing its cookies.
Related news
GHSA-xg72-6c83-ghh4: Microweber Stored Cross-site Scripting before v1.2.20
Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).