Headline
GHSA-cgr4-c233-h733: UnoPim Stored XSS : Cookie hijacking through Create User function
Summary
A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies.
Details
- Login as admin
- Go to Create User
- Fill up everything in the registration form then upload SVG image as a profile picture
- In SVG image, add script tag to prepare for XSS attack
- Complete the Create User process
- Right click at the image to obtain image URL address
- XSS triggered
PoC
The below link is a private YouTube video for PoC. https://youtu.be/5j8owD0–1A
Impact
The stored XSS can lead to session hijacking and privilege escalation, effectively bypassing any CSRF protections in place.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-52305
UnoPim Stored XSS : Cookie hijacking through Create User function
Moderate severity GitHub Reviewed Published Nov 13, 2024 in unopim/unopim • Updated Nov 13, 2024
Package
composer unopim/unopim (Composer)
Affected versions
< 0.1.5
Summary
A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies.
Details
- Login as admin
- Go to Create User
- Fill up everything in the registration form then upload SVG image as a profile picture
- In SVG image, add script tag to prepare for XSS attack
- Complete the Create User process
- Right click at the image to obtain image URL address
- XSS triggered
PoC
The below link is a private YouTube video for PoC.
https://youtu.be/5j8owD0–1A
Impact
The stored XSS can lead to session hijacking and privilege escalation, effectively bypassing any CSRF protections in place.
References
- GHSA-cgr4-c233-h733
- https://nvd.nist.gov/vuln/detail/CVE-2024-52305
- unopim/unopim@9a0da7a
Published to the GitHub Advisory Database
Nov 13, 2024
Last updated
Nov 13, 2024