66biolinks by AltumCode Cross-Site Scripting Vulnerability via SVG Favicon Upload

A cross-site scripting vulnerability has been identified in 66biolinks by AltumCode, specifically in version 61.0.1. This vulnerability allows an attacker to execute arbitrary code by uploading a crafted favicon file. The application permits users to upload SVG files as favicons for their biolink pages. While server-side sanitization removes certain HTML elements, it fails to adequately filter or neutralize anchor and image tags embedded within the SVG. Consequently, an attacker can inject an SVG containing unfiltered HTML elements, which will be rendered when other users visit the favicon link. Although the sanitization rules prevent JavaScript execution, the injection of HTML tags enables stored HTML injection, external resource loading through images, phishing vectors via links, referrer leakage, and potential escalation if the sanitization bypass is exploited or browser behavior changes.

Impact

Exploitation of this vulnerability allows for stored HTML injection, where injected content is saved and displayed to users. This could include deceptive links or UI elements that, when interacted with, could lead to phishing attempts or exposure of internal URLs and user identifiers to third-party servers.

Reproduction

To reproduce this vulnerability, upload an SVG file as a favicon for a biolink page. After saving the changes, the injected HTML, such as an image or link, will be executed or displayed when the favicon URL is accessed.

Remediation

It is recommended to sanitize SVG uploads by removing all HTML-capable elements, serve uploaded SVGs as sanitized raster images to eliminate risks, and apply output encoding when rendering user-supplied content on profile pages.