| Title | Mangati NovoSGA 2.2.9 Cross Site Scripting |
|---|
| Description | Multiples Stored Cross-Site Scripting (XSS) Injection via SVG File Upload Bypass
Summary
Multiples Stored Cross-Site Scripting (XSS) via SVG File Upload Bypass vulnerability was identified in the /admin endpoint of the NovoSGA application. This vulnerability allows attackers to upload malicious files into the logoNavbar and logoLogin parameters. The injected files are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.
Details
➤ Vulnerable Endpoint: /admin
➤ Parameters: logoNavbar and logoLogin
➤ Trigger Pages: /uploads/logo-navbar.svg?_=[ID] and /uploads/logo-login.svg?_=[ID]
The application fails to properly validate and sanitize user inputs in the logoNavbar and logoLogin parameters. This lack of validation allows attackers to inject malicious scripts, which are then stored on the server. Whenever the affected page is accessed, the malicious payload is executed in the victim's browser, potentially compromising the user's data and system.
PoC
➤ Step by Step:
Save the payload in the xss.svg file.
After, access the /admin page, and click on "Escolher arquivo" buttons to add new "logos", then click on "Salvar" button to upload the files. Access the file by the trigger pages.
➤ Payload:
<svg xmlns=""http://www.w3.org/2000/svg"" fill=""none"">
<script>
alert(""This is an XSS-POC from CVEHUNTERS"");
</script>
</svg>
➤ Screenshots:
image 1: https://hackmd.io/_uploads/r1C1EJA9eg.png
image 2: https://hackmd.io/_uploads/rklff1Rclx.png
image 3: https://hackmd.io/_uploads/B1MNEk0qge.png
image 4: https://hackmd.io/_uploads/HJB8EkRqeg.png
Impact
Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf;
Downloading malware: Attackers can trick users into downloading and installing malware on their computers;
Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits;
Stealing credentials: Attackers can steal a user's credentials;
Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser;
Defacing websites: Attackers can deface a website by altering its content;
Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior;
Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.
Finder
Discovered by Karina Gante.
Official Member of CVE-Hunters???? |
|---|
| Source | ⚠️ https://hackmd.io/@noka/B1qwCyR9ll |
|---|
| User | karinagante (UID 88113) |
|---|
| Submission | 09/09/2025 20:22 (9 months ago) |
|---|
| Moderation | 09/24/2025 12:22 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325696 [Mangati NovoSGA up to 2.2.9 SVG File /admin logoNavbar/logoLogin cross site scripting] |
|---|
| Points | 20 |
|---|