yungifez Skuul School Management System SVG File Upload Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in yungifez Skuul School Management System versions through 2.6.5. The issue arises in the SVG File Handler component, specifically within the file '/dashboard/schools/1/edit'. This vulnerability allows for the upload of unsanitized SVG files, which are served directly to users without proper content-type enforcement or sanitization. As a result, attackers can embed JavaScript or redirection payloads into the SVGs. When the uploaded image is opened in a new tab, the browser executes the embedded script, leading to a stored XSS or open redirect attack.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page. Additionally, it enables open redirect attacks, where users are forcibly redirected to an external site, potentially leading to phishing or malware distribution.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Edit School' section. Upload a malicious SVG file containing a script payload, such as a JavaScript redirection command. Once uploaded, any user who opens the image in a new tab will be redirected to the specified external site.

Remediation

It is recommended to disallow SVG uploads entirely or to sanitize SVG files using libraries like DOMPurify or sanitize-svg before storage. If SVGs must be used, they should be served with the 'Content-Type: image/svg+xml' header and forced to download when possible. Alternatively, only rasterized versions, such as PNG or JPEG, should be stored and served.