Total.js Flow SVG File Unrestricted Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in Total.js Flow versions up to commit 673ef9144dd25d4f4fd4fdfda5af27f230198924. The issue arises in the SVG File Handler component, where an unknown function allows for manipulation that bypasses file upload restrictions. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can lead to the execution of malicious files or payloads within the application's environment. In this case, uploaded SVG files can contain scripts that execute when the file is accessed, causing an open redirect or cross-site scripting vulnerability.

Reproduction

To reproduce this vulnerability, upload an SVG file through the application's file upload endpoint. The SVG should include a malicious payload, such as an onload event that redirects to an external site. After the file is uploaded, access it through the admin files list or a direct download link. The SVG will be rendered in a way that triggers the redirect, demonstrating the vulnerability.