Fiora Chat Application Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in the Fiora chat application version 1.0.0. This issue allows authenticated users to execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files through the group avatar change feature. The vulnerability is present in both the backend and frontend components of the application.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where an attacker can execute malicious scripts in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, log into the Fiora chat application and navigate to a group where you have creator privileges. Use the 'Change Group Avatar' feature to upload a malicious SVG file containing embedded JavaScript. Once uploaded, the malicious script will execute when the SVG avatar is rendered in another user's browser.