Givanz Vvveb SVG File Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Givanz Vvveb versions through 1.0.7.2. The issue arises in the SVG File Handler component, where improper handling of SVG+XML files allows for the injection of malicious JavaScript. This vulnerability can be exploited remotely, and the available exploit is public. Successful exploitation could lead to the creation of a super administrator account, followed by the upload and activation of a malicious plugin that could execute a reverse shell on the server.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the potential to create a super administrator account, upload and activate malicious plugins, and achieve remote code execution on the server.

Reproduction

To reproduce this vulnerability, upload a crafted SVG+XML file with the extension '.svg/' through any file upload endpoint of Vvveb. After the file is uploaded, an admin user must view the file to trigger the XSS. Alternatively, the injected SVG can be uploaded to the plugin directory and rendered on the plugin's homepage, or injected into the body of a post, page, or product, which will also trigger the XSS when viewed by an admin.

Remediation

Users are advised to update to the latest version of Givanz Vvveb, as the maintainer has acknowledged the vulnerability and released a patch.