Givanz Vvveb Cross-Site Scripting Vulnerability in Endpoint Module
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Givanz Vvveb versions through 1.0.5. The issue resides in the Endpoint module, specifically within the file '/vadmin123/index.php?module=content/post&type=post'. This vulnerability allows remote attackers to inject malicious SVG payloads as 'Featured Media', which can then be exploited to steal cookies from users, including site admins and editors.
Impact
Exploitation of this vulnerability allows for authenticated stored cross-site scripting, with the potential to steal cookies from users, including site admins, editors, or super admins.
Reproduction
To reproduce this vulnerability, an authenticated user with editor privileges can upload a malicious SVG file as 'Featured Media' on posts or pages. The SVG file must be crafted to include a cookie-stealing payload, which is executed when the image is opened in a new tab.
Remediation
Users are advised to upgrade to Givanz Vvveb version 1.0.6, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.