[Vendor of Product] – SocietyPro
[Affected Product Code Base] – SocietyPro – 1.0.42
[Attack Type] – Remote
[Vulnerability Type] – Cross Site Scripting (XSS)
[Attack Vectors] – To trigger stored XSS user needs to access the uploaded malicious svg file.
[Affected Component] – File Upload Functionality prone to XSS attack
- Affected URL:
A Stored Cross-Site Scripting (XSS) vulnerability was identified in SocietyPro 1.0.42, which allows an attacker to upload a malicious SVG file containing JavaScript code. When an administrator or any user views the uploaded file, the embedded script executes in their browser context, leading to potential session hijacking, cookie theft, or unauthorized actions on behalf of the victim.
Uploaded a malicious SVG file containing the following payload:
svg xmlns=”http://www.w3.org/2000/svg” width=”400″ height=”400″ viewBox=”0 0 124 124″ fill=”none”>
<rect width=”124″ height=”124″ rx=”24″ fill=”#000000″/>
<script type=”text/javascript”>
alert(document.cookie);
</script>
</svg>
Proof of Concept (PoC):
- Logged in to the admin console using test credentials.
- Navigated to the TENANT > PROFILE tab:
- Uploaded a malicious SVG file containing the following payload:
<svg xmlns=”http://www.w3.org/2000/svg” width=”400″ height=”400″ viewBox=”0 0 124 124″ fill=”none”><rect width=”124″ height=”124″ rx=”24″ fill=”#000000″/> <script type=”text/javascript”> alert(document.cookie); </script></svg> - After upload, the file was stored at:
https://societypro-saas.froid.works/user-uploads/user-photos/80acdbebaabe59663f08021fd52cc011.svg - Upon accessing the file, the JavaScript payload executed, allowing cookie theft (demonstrated via alert(document.cookie)).
[Reference]
[Discoverer] – Latish Danawale