KUNO CMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored cross-site scripting vulnerability has been identified in KUNO CMS versions 1.3.13 and prior. The issue arises from the application's file upload feature, which fails to properly validate uploaded SVG files. The upload endpoint relies solely on Content-Type headers for validation, allowing attackers to upload SVG files containing malicious scripts disguised as images. When these files are accessed, the embedded scripts execute in the user's browser, potentially leading to session hijacking or other malicious actions.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user’s browser. This could result in session hijacking, theft of CSRF tokens, and execution of sensitive actions on behalf of the user, such as modifying site configurations or creating new administrator accounts.

Reproduction

To reproduce this vulnerability, upload an SVG file containing a script payload through the application's media upload interface. The file can initially be disguised as a PNG to bypass frontend validations. Once uploaded, the malicious script will execute when the SVG file is accessed.

Remediation

Users can update to KUNO CMS version 1.3.14 or later, where this vulnerability has been fixed.