Dataease Stored Cross-Site Scripting Vulnerability via Malicious SVG Uploads

A stored cross-site scripting vulnerability has been identified in Dataease versions prior to 2.10.20. The issue arises from the static resource upload interface, which allows SVG files to be uploaded. However, the backend validation only ensures that the XML is well-formed and that the root element is SVG. It fails to sanitize active content, such as event handlers or script-capable attributes. This oversight enables an attacker to upload a harmful SVG, which can execute scripts in a browser when the static resource URL is accessed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute scripts in the context of the user viewing the resource.

Reproduction

To reproduce this vulnerability, upload a malicious SVG file containing an onload event (such as a script alerting document cookies) through the static resource upload interface. After uploading, access the SVG file via its static resource URL to trigger the script execution.

Remediation

Users are advised to upgrade to Dataease version 2.10.20, where this vulnerability has been fixed.