[SVG ONLY FEATURE/BUG] Stored Cross-Site Scripting Vulnerability

Post Reply
Tanmay9511
Posts: 1
Joined: Thu Feb 08, 2018 8:41 am

[SVG ONLY FEATURE/BUG] Stored Cross-Site Scripting Vulnerability

Post by Tanmay9511 »

Hi Team,

I have found stored cross-site scripting on WonderCMS 2.4.0 application.

Vulnerability exists on File Upload functionality.
User avatar
wiz
Posts: 749
Joined: Sat Oct 30, 2010 12:23 am

Re: [SVG ONLY FEATURE/BUG] Stored Cross-Site Scripting Vulnerability

Post by wiz »

Please check the following link for this discussion. https://github.com/robiso/wondercms/issues/57

In short, SVG's allow JavaScript inside them, which is basically nothing new. We have two options:
1. Disable SVG's.
2. Don't do anything (since admins are the only ones who can upload anything). Additionally, we have decided some time ago that an admin executing JavaScript at any part of the CMS is ok. This is still open to discussion if necessary.

If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?
Post Reply