Itsourcecode Student Management System Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored cross-site scripting vulnerability has been identified in the Itsourcecode Student Management System version 1.0. The issue arises in the Add Student module, specifically within the profile picture upload feature. The application permits users with administrative rights to upload SVG files without adequate validation or sanitization. Since SVG files can contain embedded JavaScript, a malicious payload uploaded as a profile image is stored on the server and executed when the image is viewed through the Manage Student module or opened in a new browser tab.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, unauthorized actions on behalf of the user, theft of sensitive information, application defacement, or the delivery of phishing or malware payloads.

Reproduction

To reproduce this vulnerability, log into the application as an admin and navigate to the Add Student module. Fill in the required details and upload a malicious SVG file as the profile picture. After saving the record, go to the Manage Student module, view the added record, and open the profile image in a new tab to observe the execution of the embedded JavaScript.

Remediation

It is recommended to disallow SVG uploads entirely if not necessary, or to sanitize SVG files using a trusted library to remove scripts and event handlers. Additionally, enforce strict Content-Type validation, store uploaded files outside the web root, and implement a strong Content Security Policy.