GetSimple CMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored cross-site scripting vulnerability has been identified in GetSimple CMS, affecting all versions through 3.3.22. The issue arises from the application's handling of SVG file uploads. Authenticated users can upload SVG files through the administrative upload feature, but these files are not adequately sanitized or restricted. This lack of proper handling allows for the embedding of malicious JavaScript, which executes in the browser when the uploaded SVG file is accessed. The vulnerability persists until the file is deleted, as the injected script is stored on the server.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary JavaScript in the context of the GetSimple CMS application. This could lead to unauthorized actions being performed on behalf of other users, or facilitate phishing attacks or UI redressing. The stored nature of the vulnerability means that its effects last until the malicious file is removed.

Reproduction

To reproduce this vulnerability, log in to GetSimple CMS as an authenticated user. Navigate to the file upload endpoint and upload an SVG file containing embedded JavaScript, such as a script tag with an alert command. After uploading, access the SVG file through the application interface or direct URL to observe the execution of the JavaScript in the browser.

Remediation

To address this vulnerability, SVG uploads can be disallowed entirely, or uploaded SVG files can be sanitized using a strict allowlist-based SVG sanitizer. Additionally, storing uploaded files outside the web root can help mitigate the risk.