FUEL CMS Cross-Site Scripting Vulnerability Leading to Administrator Account Takeover

A stored Cross-Site Scripting (XSS) vulnerability has been identified in FUEL CMS versions through 1.5.2, specifically within the asset upload feature. The vulnerability arises because the application does not adequately sanitize uploaded SVG files. This flaw allows low-privileged authenticated users to upload SVG files embedded with malicious JavaScript. Once uploaded, these files are stored without proper cleaning, and the embedded scripts execute when an administrator views or previews the file. This exploitation can lead to unauthorized access to the administrator's account and sensitive data.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the context of an administrator's browser session. This could be used to change admin credentials, resulting in a complete takeover of the administrator account and compromise of the entire CMS instance.

Reproduction

To reproduce this vulnerability, log in to FUEL CMS as a low-privileged user and navigate to the asset upload section. Upload a malicious SVG file containing JavaScript. After confirming the upload, log in as an administrator and open or preview the uploaded SVG file. The JavaScript will execute in the administrator session, allowing the attacker to retrieve the CSRF token and send authenticated requests to change admin credentials.