Emlog Pro Stored Cross-Site Scripting Vulnerability via Malicious SVG Upload

A stored Cross-Site Scripting vulnerability has been identified in Emlog Pro version 2.5.19. This issue arises from inadequate validation of SVG file uploads in the media management component, allowing attackers to upload harmful SVG files embedded with JavaScript. The malicious code executes when the uploaded file is accessed.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, potentially leading to the theft of sensitive information such as session cookies and authentication tokens. This could enable an attacker to perform actions on behalf of the victim or escalate privileges, especially if combined with other vulnerabilities.

Reproduction

The vulnerability can be reproduced by uploading a crafted SVG file containing JavaScript payloads through the media upload interface in the admin panel. Once the file is uploaded, accessing it will trigger the execution of the embedded JavaScript, demonstrating the XSS vulnerability.

Remediation

To address this vulnerability, Emlog Pro should implement proper validation and sanitization of SVG files, removing dangerous elements and attributes. Additionally, converting SVG files to safer formats like PNG during upload, applying a Content Security Policy to restrict script execution, and serving uploaded SVGs with a MIME type that disables script execution are recommended.