This vulnerability arises due to malicious svg file upload causing stored xss.Stored XSS bug due to image upload or attachment can cause heavy impact like defacing of website locally, stealing cookies and many.
What is SVG?
About the Platform:-
As per the agreement with company I cannot disclose the name. But I want to share my POC for security researchers and Security Enthusiasist.
Step1:)-As usual I checked the application for vulnerable file upload functionality but SVG file upload was disabled everywhere.But after few search suddenly I got the functionality of Writing mails to other users. Interesting thing about this functionality was it allows any image or document attachment.First thing I did, I uploaded Malicious SVG file with below Code.
Step2:)- I was able to upload successfully and found that it is uploading image in its website scripts directory in the form of
step3)- I put the above URL in latest Firefox Browser but it was not executing in browser instead it was downloading svg image. Tried a lot to execute it but no success.
Step3)I left it and went to other avatar Upload functionality .There SVG upload was not allowed.So I tried to put xss payload in png exif header.There also no success.But I got jackpot when I analyzed the image location link it was like https://xyz.com/scripts/file.php?view=Y&file=86e24rer3erd1acaa3ere4we89sefggsdr
So What is the difference between above two URL ?
Yes there is one thing that is “”view=Y””
Step4)- So I add in the first URL “”view=Y”” and now URL became
step5)-Checked in Latest Browser and got the below result:–
Step6)I reported it and got the award after 10 days.
For More information: