HTML Injection / Stored XSS via Malicious SVG Upload

CVSS 6.8 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Elabftw is an open source software that I keep track of, having published a SQL Injection CVE about six months ago.

About a month ago, I decided to go back and give the code another audit. One thing that immediately jumped out at me was an allowed MIME type for image downloads that had the word xml in it.

// force the download of everything (regardless of the forceDownload parameter)
// to avoid having html injected and interpreted as an elabftw page
$safeMimeTypes = array(
    'application/pdf',
    'image/gif',
    'image/jpeg',
    'image/png',
    'video/mp4',
    'image/svg+xml',
    'text/plain',
);

I tested it out and sure enough, it was vulnerable to multiple injection attacks. The lesson here: never trust anything with the word xml in it, especially not images.

Since this is a newly published CVE, I won’t post the PoC for now, but I will include a link to the security advisory here.