TypiCMS Stored Cross-Site Scripting Vulnerability in SVG File Upload Module

A stored cross-site scripting vulnerability has been identified in TypiCMS, a multilingual content management system built on Laravel. This issue affects versions prior to 16.1.7 and arises in the file upload module, where users with upload permissions can submit SVG files. Although there is a MIME type validation, the SVG content is not sanitized. An attacker can exploit this by uploading a crafted SVG file containing malicious JavaScript. When another user, such as an administrator, accesses the file, the script executes in their browser, compromising their session. The vulnerability is worsened by a bug in the SVG parsing that can trigger a server error if the SVG lacks a 'viewBox' attribute, but this can be easily circumvented by including a valid 'viewBox' in the malicious file.

Impact

Exploitation allows for execution of arbitrary JavaScript in the context of the victim's browser, leading to a full compromise of the user's account. This includes actions such as creating administrator accounts, changing passwords, deleting content, and accessing sensitive information through the admin panel. The vulnerability could also be used for phishing attacks or keystroke logging.

Reproduction

To reproduce this vulnerability, upload a malicious SVG file containing JavaScript into the TypiCMS file upload module. Ensure the file includes a 'viewBox' attribute to bypass the application's SVG parsing bug. Once uploaded, share the file's public URL with an administrator, who will unknowingly execute the embedded script in their browser.

Remediation

Users are advised to update TypiCMS to version 16.1.7 or later, where this vulnerability has been fixed. Additionally, consider implementing a Content-Security-Policy to mitigate the impact of any potential XSS vulnerabilities.