Closed tranquac closed 1 year ago
@patkon Can you help me check issue this? Looking forward to hearing from you. Thank.
I think the best solution will be to remove SVG support from the core. Maybe I will write an addon to enable secure SVG upload later.
yes. That is the good idea for this issue!
Hello friends, the problem is still there and still critical!
No matter what account the user using, this is a broken infrastructure, logic, and architecture!
BR @nu11secur1ty System Administrator - Infrastructure and Penetration testing Engineer.
Thank you for reporting. I've just released Version 2.0.8. From this version on there is no more SVG and XML upload.
Ok, thank you. 😘🙂
Describe the bug Cross Site Scripting (XSS) via upload image function
To Reproduce Steps to reproduce the behavior:
Screenshots
xss.svg
Desktop (please complete the following information):
Additional context XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user