| 제목 | MyEMS <=6.4.0 Cross Site Scripting |
|---|
| 설명 | The admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability.
This vul has been fixex in 6.5.0 version.
Description
Summary
The admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability.
Details
The on_post method in the SVGCollection class within svg.py is used to save user-uploaded SVG code. The main validation logic is as follows:
212 if 'source_code' not in new_values['data'].keys() or \
213 not isinstance(new_values['data']['source_code'], str) or \
214 len(str.strip(new_values['data']['source_code'])) == 0:
215 raise falcon.HTTPError(status=falcon.HTTP_400, title='API.BAD_REQUEST',
216 description='API.INVALID_SVG_SOURCE_CODE')
217 source_code = str.strip(new_values['data']['source_code'])
The current code only performs basic parameter validation without content security filtering. Therefore, when a malicious user inputs a carefully crafted payload, it may lead to XSS vulnerability issues.
PoC
Login as admin
Go to the SVG code upload page and input malicious payload:
<svg xmlns="http://www.w3.org/2000/svg">
<foreignObject width="100%" height="100%">
<body xmlns="http://www.w3.org/1999/xhtml">
<iframe src="javascript:alert(1)"></iframe>
</body>
</foreignObject>
</svg>
image 3. Click "Save" button, then you will see a pop-up window with your session cookie.
the admin user use preview function will be affected.
image image 6. the regular user use `Auxiliary systems`->`Power distribution systems` will be affected. image
Impact
It is a stored XSS vulnerability
It affects all users, including admins.
javascript will be executed in the context of all users' browsers. |
|---|
| 원천 | ⚠️ https://github.com/MyEMS/myems/issues/412 |
|---|
| 사용자 | rekczh (UID 98239) |
|---|
| 제출 | 2026. 06. 09. PM 03:51 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 09. PM 08:12 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 377263 [MyEMS 까지 6.4.0 Admin Backend myems-api/core/svg.py on_post new_values['data'] 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|