| Title | givanz VvvebJs 2.0.5 Stored XSS |
|---|
| Description | 1. Unauthenticated Access & Stored XSS:
- A critical vulnerability exists in the upload.php endpoint of VvvebJs. The endpoint completely lacks authentication and access control mechanisms by default.
- An unauthenticated, remote attacker can directly send a POST request to upload files. Furthermore, the endpoint fails to sanitize the contents of uploaded SVG (Scalable Vector Graphics) files.
2. Exploiting the Vulnerability:
- Because SVG is an XML-based format that supports embedded JavaScript via attributes like onload, an attacker can upload a maliciously crafted .svg file containing arbitrary JavaScript code.
- Once the file is uploaded, it is stored in the /media/ directory. When any user (including administrators) accesses the direct URL of the uploaded SVG file, their browser parses the file and executes the embedded JavaScript payload within the context of the application's domain. |
|---|
| Source | ⚠️ https://tcn60zf28jhk.feishu.cn/wiki/Cr4KwMPiMi65fFkI9Vyc3oX2n0f?from=from_copylink |
|---|
| User | EthX0_ (UID 96627) |
|---|
| Submission | 03/22/2026 12:20 (17 days ago) |
|---|
| Moderation | 04/05/2026 17:32 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355406 [givanz Vvvebjs up to 2.0.5 File Upload Endpoint upload.php uploadAllowExtensions cross site scripting] |
|---|
| Points | 20 |
|---|