Contao 5.4.1: Malicious File Upload (XSS in SVG) (CVE-2024–45965)
Description:
# An Issue is discovered in Contao 5.4.1
# We have identified a vulnerability that allows an authenticated admin account to upload a SVG file containing malicious javascript code (Stored Cross-Site Scripting) into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.
Affected Component:
http://[ip]/contao?act=move&do=files&mode=2&pid=files%2Fcontaodemo%2Fmedia%2Fcontent-images&id=&rt=deaa7b02c06d6cc4f3c68ec0f5.OX1bkqiOHJbgkGATVkTDE19Y1RBqS0HILO0uzSkPxcs.Zk8M3c77JfnT8lN4JxSSTC4Zj2EeMQ2Qdph4gEI8iKxcTD_bytRb3KHlNQ&ref=14YjsbRN
Payload:
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Grim The Ripper Team by SOSECURE Thailand');
</script>
</svg>
First, log in to the target web application using an admin account.
Next, click on the “Files” panel.
And click on “Upload files” function.
Click icon As in the picture.
After that, click on “Click or drop here to upload” to upload a malicious file.
Select the “GrimtheRipperTeam.svg” file to upload to the web application.
“GrimtheRipperTeam.svg” file has uploaded and click “Go back”.
Click “GrimtheRipperTeam.svg” Open New Tap.
Finally, we found that the malicious is working.
Author:
Grim The Ripper Team by SOSECURE Thailand.