Stored XSS from file upload (svg, html)
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
A Contributor could upload a specially crafted SVG image containing scripting code. When shown as image, this is safe, because browsers will not execute the script code. When following a link to this image, the code would be executed.
Similarly, an html page uploaded as a file could be abused in the same way
Current status
Hotfixed by forcing SVG images to be downloaded when following a link. Showing an SVG image on the page still works fine.
We actually force a download for all mime types, except a few image types: jpeg, png, gif, webp, icon
Credits
Discovered by
- Emir Cüneyt Akkutlu
- Tino Kautschke
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team