InnoShop Cross-Site Scripting Vulnerability via SVG File Upload

A stored cross-site scripting vulnerability has been identified in InnoShop versions through 0.3.8. This issue allows attackers to upload malicious SVG files that can execute JavaScript, potentially leading to the theft of cookies from users, including those of administrators.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute JavaScript when accessed, with the potential to steal cookies and impersonate users.

Reproduction

To reproduce this vulnerability, log in as any user and navigate to the 'Edit Profile' section. Upload a malicious SVG file containing JavaScript code into the image upload field and save the changes. Once the SVG image is uploaded, the JavaScript will execute when the image link is clicked, stealing the user's cookies.

Remediation

To address this vulnerability, InnoShop should implement measures to restrict SVG file uploads or sanitize SVG files using a library like DOMPurify. Additionally, the XSRF-Token should be marked as HttpOnly to prevent the transmission of stolen cookies to an external server.