Drupal 11.0.1: Malicious File Upload (XSS in SVG)

GrimTheRipper
2 min readSep 2, 2024

--

Description:

# An Issue is discovered in Drupal 11.0.1

# We have identified a vulnerability that allows an authenticated admin account to upload a SVG file containing malicious javascript code (Stored Cross-Site Scripting) into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.

Affected Component:

http://[ip]/en/admin/appearance/settings

Payload:

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Grim The Ripper Team by SOSECURE Thailand');
</script>
</svg>

First, log in to the target web application using an admin account.

http://[ip]/en/user/login

Next, click on the “Appearance” panel, and then click on “Settings” tab.

http://[ip]/en/admin/appearance/settings

After that, scroll down to the Favicon section, and click on “Choose File” to upload a malicious file.

Choose File to upload.

Subsequently, select the “GrimtheRipperTeam.svg” file to upload to the web application.

Select to “GrimTheRipperTeam.svg” file.

And click on the “Save configuration” button to complete the upload.

Save the configuration.

Finally, we can see the path where the SVG file is located, and we will open it to check the execution of the malicious command in the file.

the location of svg file.

After accessing the path, we found that the malicious command is working.

The payload was executed on the target.

Author:

Grim The Ripper Team by SOSECURE Thailand.

--

--

GrimTheRipper

You get the best out of others when you give the best of yourself