Gửi #853060: MyEMS <=6.4.0 Cross Site Scriptingthông tin

tiêu đềMyEMS <=6.4.0 Cross Site Scripting
Mô tảThe admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability. This vul has been fixex in 6.5.0 version. Description Summary The admin backend has an SVG code upload feature in svg.py . If a malicious user gains admin privileges, they may upload malicious code containing XSS attacks, which could affect all regular users and admin users.An attacker can steal session cookies and fully take over any victim account, including administrator accounts,by the vulnerability. Details The on_post method in the SVGCollection class within svg.py is used to save user-uploaded SVG code. The main validation logic is as follows: 212 if 'source_code' not in new_values['data'].keys() or \ 213 not isinstance(new_values['data']['source_code'], str) or \ 214 len(str.strip(new_values['data']['source_code'])) == 0: 215 raise falcon.HTTPError(status=falcon.HTTP_400, title='API.BAD_REQUEST', 216 description='API.INVALID_SVG_SOURCE_CODE') 217 source_code = str.strip(new_values['data']['source_code']) The current code only performs basic parameter validation without content security filtering. Therefore, when a malicious user inputs a carefully crafted payload, it may lead to XSS vulnerability issues. PoC Login as admin Go to the SVG code upload page and input malicious payload: <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject width="100%" height="100%"> <body xmlns="http://www.w3.org/1999/xhtml"> <iframe src="javascript:alert(1)"></iframe> </body> </foreignObject> </svg> image 3. Click "Save" button, then you will see a pop-up window with your session cookie. the admin user use preview function will be affected. image image 6. the regular user use `Auxiliary systems`->`Power distribution systems` will be affected. image Impact It is a stored XSS vulnerability It affects all users, including admins. javascript will be executed in the context of all users' browsers.
Nguồn⚠️ https://github.com/MyEMS/myems/issues/412
Người dùng
 rekczh (UID 98239)
Đệ trình09/06/2026 15:51 (cách đây 1 tháng)
Kiểm duyệt09/07/2026 20:12 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB377263 [MyEMS đến 6.4.0 Admin Backend myems-api/core/svg.py on_post new_values['data'] Tập lệnh chéo trang]
điểm20

Do you need the next level of professionalism?

Upgrade your account now!