提出 #853060: MyEMS <=6.4.0 Cross Site Scripting情報

タイトルMyEMS <=6.4.0 Cross Site Scripting
説明The admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability. This vul has been fixex in 6.5.0 version. Description Summary The admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability. Details The on_post method in the SVGCollection class within svg.py is used to save user-uploaded SVG code. The main validation logic is as follows: 212 if 'source_code' not in new_values['data'].keys() or \ 213 not isinstance(new_values['data']['source_code'], str) or \ 214 len(str.strip(new_values['data']['source_code'])) == 0: 215 raise falcon.HTTPError(status=falcon.HTTP_400, title='API.BAD_REQUEST', 216 description='API.INVALID_SVG_SOURCE_CODE') 217 source_code = str.strip(new_values['data']['source_code']) The current code only performs basic parameter validation without content security filtering. Therefore, when a malicious user inputs a carefully crafted payload, it may lead to XSS vulnerability issues. PoC Login as admin Go to the SVG code upload page and input malicious payload: <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject width="100%" height="100%"> <body xmlns="http://www.w3.org/1999/xhtml"> <iframe src="javascript:alert(1)"></iframe> </body> </foreignObject> </svg> image 3. Click "Save" button, then you will see a pop-up window with your session cookie. the admin user use preview function will be affected. image image 6. the regular user use `Auxiliary systems`->`Power distribution systems` will be affected. image Impact It is a stored XSS vulnerability It affects all users, including admins. javascript will be executed in the context of all users' browsers.
ソース⚠️ https://github.com/MyEMS/myems/issues/412
ユーザー
 rekczh (UID 98239)
送信2026年06月09日 15:51 (1 月 ago)
モデレーション2026年07月09日 20:12 (1 month later)
ステータス承諾済み
VulDBエントリ377263 [MyEMS 迄 6.4.0 Admin Backend myems-api/core/svg.py on_post new_values['data'] クロスサイトスクリプティング]
ポイント20

Do you know our Splunk app?

Download it now for free!