Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-56515 PoC — Fiora 安全漏洞

Source
https://github.com/Kov404/CVE-2025-56515
Associated Vulnerability
Title:Fiora 安全漏洞 (CVE-2025-56515)
Description:Fiora ·是yinxin630个人开发者的一个聊天应用程序。 Fiora 1.0.0版本存在安全漏洞,该漏洞源于用户头像上传功能未验证SVG文件内容,可能导致执行任意JavaScript代码。
Description
Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application
Readme
# CVE-2025-56515
Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application
# CVE-2025-56515: Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application

## Vulnerability Overview
**CVE ID**: CVE-2025-56515  
**Vulnerability Type**: Cross-Site Scripting (XSS)  
**Attack Type**: Remote  
**Impact**: Code Execution  
**Affected Product**: Fiora Chat Application (Version 1.0.0)  
**Vendor**: suisuijiang  
**Discoverer**: Kaio Mendonça Pereira  
**Vendor Confirmed**: Yes  
**References**:  
- [Fiora GitHub Repository](https://github.com/yinxin630/fiora)  
- [Fiora Application](https://fiora.suisuijiang.com/)  
- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)

## Description
The Fiora chat application (version 1.0.0) is vulnerable to a Cross-Site Scripting (XSS) attack due to improper validation of SVG file content uploaded through the user avatar modification functionality. Authenticated users can upload malicious SVG files containing embedded `<foreignObject>` elements with `<iframe>` tags and JavaScript event handlers (e.g., `onmouseover`). When these SVG files are rendered in the browser, the embedded JavaScript executes, allowing attackers to steal user sessions, cookies, or perform unauthorized actions in the context of users viewing the affected profile.

## Affected Components
- `packages/server/src/routes/user.ts`
- `packages/web/src/modules/Sidebar/UserInfo.tsx`
- `packages/web/src/service.ts`
- `packages/web/src/components/Avatar.tsx`
- `/UserAvatar/` directory
- Function: `changeUserAvatar`

## Attack Vector
The vulnerability is exploited by uploading a malicious SVG file as a user avatar. The SVG file can include a `<foreignObject>` element containing an `<iframe>` with a JavaScript event handler, such as `onmouseover="alert(document.cookie)"`. When the avatar is rendered (e.g., on page reload or direct access to the SVG URL), the malicious JavaScript executes, bypassing the application's XSS protections. This enables attackers to perform actions such as:
- Stealing session cookies.
- Performing unauthorized actions in the context of the victim's session.
- Redirecting users to malicious sites.

### Example Malicious SVG Payload
```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
  <foreignObject x="0" y="0" width="100" height="100">
    <iframe xmlns="http://www.w3.org/1999/xhtml" src="https://evil.com" onmouseover="alert(document.cookie)" width="100" height="100"></iframe>
  </foreignObject>
  <text x="0" y="15"></text>
</svg>
File Snapshot

 [4.0K]  /data/pocs/1e0a43dae7e0298dbf896b73e85442ad13f67f37
└── [2.6K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.