About Vulnerability

This vulnerability arises due to malicious svg file upload causing stored xss.Stored XSS bug due to image upload or attachment  can cause heavy impact like defacing of website locally, stealing cookies and many.

What is SVG?

SVG stands for Scalable Vector Graphics. Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. Svg images generally contain css, but more importantly JavaScript. The fact that you can execute JavaScript from inside an image file presents an unexpected vector for XSS attacks.

About the Platform:-

As per the agreement with company I cannot disclose the name. But I want to share my POC for security researchers and Security Enthusiasist.


Step1:)-As usual I checked the application for vulnerable file upload functionality but SVG file upload was disabled everywhere.But after few search suddenly I got the functionality of Writing mails to other users. Interesting thing about this functionality was it allows any image or document attachment.First thing I did, I uploaded Malicious SVG file with below Code.


<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">

<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

<script type="text/javascript">

 prompt('paswword please!');


Step2:)- I was able to upload successfully and found that it is uploading image in its website scripts directory in the form of

step3)- I put the above URL in latest Firefox Browser but it was not executing in browser instead it was downloading svg image. Tried a lot to execute it but no success.

Step3)I left it and went to other avatar Upload functionality .There SVG upload was not allowed.So I tried to put  xss payload in png exif header.There also no success.But I got jackpot when I analyzed the image location link it was like

So What is the difference between above two URL ?

Yes there is one thing that is “”view=Y””

Step4)- So I add in the first URL  “”view=Y”” and now URL became

step5)-Checked in Latest Browser and got the below result:–

svg_xss1Step6)I reported it and got the award after 10 days.

For More information:

Published by


Hey! I am a security Researcher ,Tester and Hacker.Finding bug is my passion .

Leave a Reply

Your email address will not be published. Required fields are marked *