Hi Team,
I have found stored cross-site scripting on WonderCMS 2.4.0 application.
Vulnerability exists on File Upload functionality.
			
			
									
																
						[SVG ONLY FEATURE/BUG] Stored Cross-Site Scripting Vulnerability
- 
				Tanmay9511
- Posts: 1
- Joined: Thu Feb 08, 2018 8:41 am
Re: [SVG ONLY FEATURE/BUG] Stored Cross-Site Scripting Vulnerability
Please check the following link for this discussion. https://github.com/robiso/wondercms/issues/57
In short, SVG's allow JavaScript inside them, which is basically nothing new. We have two options:
1. Disable SVG's.
2. Don't do anything (since admins are the only ones who can upload anything). Additionally, we have decided some time ago that an admin executing JavaScript at any part of the CMS is ok. This is still open to discussion if necessary.
If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?
			
			
									
																
						In short, SVG's allow JavaScript inside them, which is basically nothing new. We have two options:
1. Disable SVG's.
2. Don't do anything (since admins are the only ones who can upload anything). Additionally, we have decided some time ago that an admin executing JavaScript at any part of the CMS is ok. This is still open to discussion if necessary.
If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?
