Zen-Cart CKEditor SVG Bypass Leading to Stored XSS

Key Information Details Software Type: Web App Software Name: Zen-Cart Affected Version: 2.1.0 Software Vendor: Zen Ventures, LLC Software Link: https://github.com/zencart/zencart Severity: High CVSS Score: 7.2 CVE Link: N/A Affected Assets: 30171+ Discovery Date: January 9, 2025 PoC Exploit: https://gist.github.com/0xHamy/b2674eefdd1f73a96d29f152c47bcbd Description ZenCart features an interesting functionality that allows administrators to change the entire website’s text editor used for editing pages or products, offering two options: "Plain Text" editor and "CKEditor". The issue lies in CKEditor, which permits inserting images via URL. While SVG images are blacklisted by default in ZenCart, attempting to upload an SVG file results in an error. However, users can still insert SVG files using CKEditor’s “Insert Image via URL” feature. In fact, malicious PHP cookie stealers can also be inserted via this method. The application treats them as images, causing them to execute immediately when the webpage loads. Reproduction Steps To reproduce this vulnerability, I will use a PHP cookie stealer script to demonstrate how cookies can be stolen. Save the following file as : https://gist.github.com/0xHamy/b2674eefdd1f73a96d29f152c47bcbd Start a PHP server to serve this file: To reproduce the issue, change the text editor type from Plain Text to CKEditor. This can be done via: After changing the editor, open a product for editing. The URI might look like: Click on the “Insert Image via URL” icon in CKEditor. A small dialog will appear, prompting for an image URL. However, there is no filter to ensure users only insert images and not other content. In this dialog, enter the full URL pointing to your PHP cookie stealer. In my case: Now, access the product page and check your PHP server for cookie logs: Additionally, the following payload also works:

Goal Reached Thanks to every supporter — we hit 100%!

Zen-Cart CKEditor SVG Bypass Leading to Stored XSS