XunRuiCMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored Cross-Site Scripting vulnerability has been identified in XunRuiCMS version 4.7.1. This issue arises from inadequate validation of SVG file uploads in the 'dayrui/Fcms/Library/Upload.php' component. The vulnerability allows attackers to inject malicious JavaScript that executes when the uploaded file is accessed.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, potentially leading to the theft of sensitive information such as session cookies, performing actions on behalf of the victim, and escalating to more severe attacks.

Reproduction

The vulnerability can be reproduced by uploading a crafted SVG file that includes JavaScript execution vectors, such as event handlers, through the application's file upload functionality. After the file is uploaded, accessing it will trigger the execution of the injected JavaScript.

Remediation

To address this vulnerability, XunRuiCMS should implement proper validation and sanitization of SVG files in the 'Upload.php' component. This includes removing potentially dangerous attributes and elements, updating the validation routine to check for event handlers and other JavaScript execution vectors, and considering the use of a Content Security Policy to prevent the execution of inline scripts.