إرسال #853060: MyEMS <=6.4.0 Cross Site Scriptingالمعلومات

عنوانMyEMS <=6.4.0 Cross Site Scripting
الوصفThe admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability. This vul has been fixex in 6.5.0 version. Description Summary The admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability. Details The on_post method in the SVGCollection class within svg.py is used to save user-uploaded SVG code. The main validation logic is as follows: 212 if 'source_code' not in new_values['data'].keys() or \ 213 not isinstance(new_values['data']['source_code'], str) or \ 214 len(str.strip(new_values['data']['source_code'])) == 0: 215 raise falcon.HTTPError(status=falcon.HTTP_400, title='API.BAD_REQUEST', 216 description='API.INVALID_SVG_SOURCE_CODE') 217 source_code = str.strip(new_values['data']['source_code']) The current code only performs basic parameter validation without content security filtering. Therefore, when a malicious user inputs a carefully crafted payload, it may lead to XSS vulnerability issues. PoC Login as admin Go to the SVG code upload page and input malicious payload: <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject width="100%" height="100%"> <body xmlns="http://www.w3.org/1999/xhtml"> <iframe src="javascript:alert(1)"></iframe> </body> </foreignObject> </svg> image 3. Click "Save" button, then you will see a pop-up window with your session cookie. the admin user use preview function will be affected. image image 6. the regular user use `Auxiliary systems`->`Power distribution systems` will be affected. image Impact It is a stored XSS vulnerability It affects all users, including admins. javascript will be executed in the context of all users' browsers.
المصدر⚠️ https://github.com/MyEMS/myems/issues/412
المستخدم
 rekczh (UID 98239)
ارسال09/06/2026 03:51 PM (1 شهر منذ)
الاعتدال09/07/2026 08:12 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB377263 [MyEMS حتى 6.4.0 Admin Backend myems-api/core/svg.py on_post new_values['data'] البرمجة عبر المواقع]
النقاط20

Do you want to use VulDB in your project?

Use the official API to access entries easily!