EIQ-2021-0006


ID

EIQ-2021-0006

CVE

-

Description

SVG file upload could allow cross-site scripting (XSS)

Date

28 Jan 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.2

Assessment

It is possible to manually upload to a workspace an SVG file that can inject malicious JavaScript upon rendering the uploaded file.
This could enable exploiting the vulnerability to carry out a cross-site scripting attack (XSS).

To exploit the vulnerability, a potential attacker would need to:

  1. Upload a maliciously crafted SVG file as an attachment to a platform workspace.

  2. In the web browser, go to the /private/files/${workspace_id}/media endpoint by copy-pasting it in the web browser address bar.

  3. Preview the uploaded SVG in the browser by rendering the preview through the /private/files/${workspace_id}/media endpoint.

By opening the /private/files/${workspace_id}/media endpoint in the web browser tab used to sign in to the platform, the session token is available through the web browser's session storage.
Therefore, embedded JavaScript code in the SVG file can access the token, and use it to send valid requests to the platform API.

A signed-in user without admin access rights could exploit the vulnerability if they have at least the permissions to access and modify workspaces, as well as upload files to workspaces:

  • modify blob-uploads

  • modify files

  • modify workspaces


Proof of concept

Uploading a crafted SVG file with embedded JavaScript such as the one in the example, and then rendering it as a preview through the /private/files/${workspace_id}/media endpoint displays an alert pop-up dialog:

<?xml version="1.0" encoding="UTF-8"?>
<svg id="Capa_1" xmlns="http://www.w3.org/2000/svg">
<script>alert(1)</script>
</svg>

images/download/attachments/82475887/tp48852.png
XSS through JavaScript embedded in an SVG file uploaded to a workspace.

Mitigation

This vulnerability is addressed in EclecticIQ Platform 2.10.0 by applying stricter XML sanitization, and by deprecating the /media API endpoint.

Affected versions

2.9.1 and earlier.

Notes

n.a.

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.10.0

In release notes 2.9.2

In release notes 2.9.1