MetInfo CMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored Cross-Site Scripting (XSS) vulnerability exists in MetInfo CMS version 8.0. This issue arises from inadequate validation and sanitization of SVG file uploads in the 'app\system\include\module\editor\Uploader.class.php' component. Attackers can exploit this vulnerability by uploading malicious SVG files that contain JavaScript code, which executes when the file is accessed or viewed.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user viewing the affected page, including administrators. This could lead to the theft of session cookies and authentication tokens, unauthorized actions on behalf of the user, and potentially more severe attacks by chaining with other vulnerabilities.

Reproduction

To reproduce this vulnerability, upload a malicious SVG file through the product management module. The uploaded file will be stored in the system and execute the embedded JavaScript when the corresponding product page is accessed.

Remediation

To address this vulnerability, MetInfo CMS should improve the 'Uploader.class.php' component by validating and sanitizing SVG file content, removing dangerous elements and attributes, and possibly converting SVGs to safer formats like PNG or JPEG before storage. Additionally, implementing a Content Security Policy to block script execution from uploaded files and serving SVGs with a sanitized MIME type could enhance security.