Stored XSS viva .svg file upload in luyadev/luya-module-admin

Valid

Reported on

Apr 1st 2022


Description

The application allows .svg files to upload which leads to stored XSS.

Proof of Concept

1.Download the payload XSS.svg from below drive link and go to "Files".

2.Now click on "Add file" and upload the downloaded payload.

3.Then see the uploaded file details and open the file path once you open XSS will trigger (Link:- https://demo.luya.io/storage/xss_197a764d.svg)

Video PoC

https://drive.google.com/drive/folders/1TvitLP-w-hbVD44-csA7ZSASrhYlKQN1?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

References

We are processing your report and will contact the luyadev/luya-module-admin team within 24 hours. 2 years ago
SAMPRIT DAS modified the report
2 years ago
We have contacted a member of the luyadev/luya-module-admin team and are waiting to hear back 2 years ago
We have sent a follow up to the luyadev/luya-module-admin team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the luyadev/luya-module-admin team. We will try again in 7 days. 2 years ago
luyadev/luya-module-admin maintainer has acknowledged this report 2 years ago
SAMPRIT DAS
2 years ago

Researcher


@admin any update on this report?

Jamie Slome
2 years ago

It looks like the maintainer has acknowledged the report, and so we will wait to see if we hear back from them shortly.

We do always have the 90-day timeline where we can make it public once this timeframe has elapsed post-submission.

Basil
2 years ago

this is not critical in your system, developers can upload svg's. its not a problem at all. We have changed the default settings now according to the issue, which will by default blackliste svg mime types. no CVE is required here!

Basil
2 years ago

  • this is not critical in OUR system
SAMPRIT DAS
2 years ago

Researcher


@maintainar This is my another report similar as this report where severity is marked as critical: https://huntr.dev/bounties/b0c4f992-4ac8-4479-82f4-367ed1a2a826/

Okay no problem if you are not agree to assign CVE for this report but atleast you can validate the report and confirm the fix right?

SAMPRIT DAS modified the report
2 years ago
SAMPRIT DAS
2 years ago

Researcher


As you said it is not critical for your system so I changed the severity to high @maintainer.

Basil
2 years ago

Its the wrong repository to confirm and validate the commit. Repo would be: https://github.com/luyadev/luya-module-admin

SAMPRIT DAS
2 years ago

Researcher


@admin can you please edit the repo to https://github.com/luyadev/luya-module-admin

Jamie Slome
2 years ago

Sorted 👍

SAMPRIT DAS
2 years ago

Researcher


@maintainer now can you please validate and confirm the fix for this report?

Basil validated this vulnerability 2 years ago
sampritdas8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Basil marked this as fixed in 4.4.1 with commit d08b7d 2 years ago
Basil has been awarded the fix bounty
to join this conversation