SVG file upload could allow cross-site scripting (XSS)


28 Jan 2021



CVSSv3 score

CVSSv3 score not available on NIST NVD.


✅ 2.9.2


It is possible to manually upload to a workspace an SVG file that can inject malicious JavaScript upon rendering the uploaded file.

This could enable exploiting the vulnerability to carry out a cross-site scripting attack (XSS).

To exploit the vulnerability, a potential attacker would need to:

  • Upload a maliciously crafted SVG file as an attachment to a platform workspace.

  • In the web browser, go to the /private/files/${workspace_id}/media endpoint by copy-pasting it in the web browser address bar.

  • Preview the uploaded SVG in the browser by rendering the preview through the /private/files/${workspace_id}/media endpoint.

By opening the /private/files/${workspace_id}/media endpoint in the web browser tab used to sign in to the platform, the session token is available through the web browser’s session storage.

Therefore, embedded JavaScript code in the SVG file can access the token, and use it to send valid requests to the platform API.

A signed-in user without admin access rights could exploit the vulnerability if they have at least the permissions to access and modify workspaces, as well as upload files to workspaces:

  • modify blob-uploads

  • modify files

  • modify workspaces

Proof of concept

Uploading a crafted SVG file with embedded JavaScript such as the one in the example, and then rendering it as a preview through the /private/files/${workspace_id}/media endpoint displays an alert pop-up dialog:

<?xml version="1.0" encoding="UTF-8"?>
<svg id="Capa_1" xmlns="http://www.w3.org/2000/svg">
XSS through JavaScript embedded in an SVG file uploaded to a workspace.

XSS through JavaScript embedded in an SVG file uploaded to a workspace.#


This vulnerability is addressed in EclecticIQ Platform 2.10.0 by applying stricter XML sanitization, and by deprecating the /media API endpoint.

Affected versions

2.9.1 and earlier.