Stored XSS from file upload (svg, html)

Versions affected

  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.1.7
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.10
  • 5.0.1
  • 5.0
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.20
  • 4.3.2
  • 4.3.19
  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.1
  • 4.3

Vulnerability

A Contributor could upload a specially crafted SVG image containing scripting code. When shown as image, this is safe, because browsers will not execute the script code. When following a link to this image, the code would be executed. Similarly, an html page uploaded as a file could be abused in the same way

Current status

Hotfixed by forcing SVG images to be downloaded when following a link. Showing an SVG image on the page still works fine. We actually force a download for all mime types, except a few image types: jpeg, png, gif, webp, icon

Credits

Discovered by

  • Emir Cüneyt Akkutlu
  • Tino Kautschke

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team