+++ This bug was initially created as a clone of Bug #1595640 +++

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

Steps to reproduce:

Stored XSS using an SVG file

Login Bugzilla:-
1Go to bug..
2)Go to Show Attached Iamges.
https://bugzilla.mozilla.org/attachment.cgi?id=9107901&action=edit

3)Click on View with svg image id 9107901

Second XSS:-
Replace the edit parameter with t=F6qKq3qWf3AeaxvCfBxjMJ

https://bugzilla.mozilla.org/attachment.cgi?id=9107901&action=edit

https://bugzilla.mozilla.org/attachment.cgi?id=9107901&t=F6qKq3qWf3AeaxvCfBxjMJ

Actual results:

The file should be open without executing a script.

Expected results:

Successfully Executed Store XSS with SVG file.

The attachments for the POC are on the original bug.

cookies are marked as http-only, and also bmoattachments.org is a different domain. Indeed, it is in the public suffix list so it is even more isolated. There is a long history of this bug, and the current measures are considered sufficient. This bug tracker is largely used for the development of a web browser, and the ability to upload HTML attachments is considered useful.