Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23490

Stored XSS in XWiki profile photo upload with SVG

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • Critical
    • None
    • 17.6.0
    • User - User Profile
    • I am using Kali linux latest with latest update
    • Easy

    Description

      The "Change Photo" functionality in XWiki allows a user to upload profile images. While common image formats (PNG, JPG) are expected, the feature also accepts SVG files without proper sanitization.

      A malicious SVG can include embedded JavaScript. When the file is uploaded as a profile picture and then opened directly (e.g., right-click → open in new tab), the JavaScript payload executes in the victim's browser.

      Example Payload:

       

      <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">
        <text x="10" y="20">XSS Test</text>
      </svg>

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            dollarboysushil Sushil Poudel
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: