关联漏洞
标题:
vaahcms 安全漏洞
(CVE-2025-61183)
描述:vaahcms是WebReinvent Technologies Pvt Ltd开源的一个web应用程序开发平台。 vaahcms 2.3.1版本存在安全漏洞,该漏洞源于UserBase.php中storeAvatar方法的上传功能存在跨站脚本,可能导致执行任意代码。
介绍
# [CVE-2025-61183] Stored XSS in User Avatar Upload via Unsafe SVG Handling
## Overview
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the **storeAvatar()** method of **UserBase.php** and related file upload logic, allowing a low-level registered user to upload a malicious SVG file containing embedded JavaScript. The vulnerability stems from file storage occurring *before* content or MIME-type validation, leaving malicious files on a predictable, publicly accessible path on the server.
## Impact
Successful exploitation allows an attacker to control the content and filename of a file written to a public storage path (`/storage/media/YYYY/MM/<controlled-filename>.svg`). If this publicly accessible SVG is subsequently rendered by a user's browser via an `<img>`, `<object>`, or crafted link, the embedded script will execute, leading to persistent XSS.
## Affected Product and Versions
* **Product:** VaahCMS
* **Vulnerable Versions:** 2.3.1
### Vulnerable Endpoint
`POST /backend/vaah/manage/media/upload`
### Critical Flaws
1. **Race Condition/Timing Issue:** The file is physically saved to disk before any content validation or MIME-type checking is performed.
2. **Predictable Path:** Malicious files are saved under a predictable public path: `/storage/media/YYYY/MM/<controlled-filename>.svg`.
3. **No Cleanup:** Files persist even if the backend returns an error (e.g., `{"success": false, "errors": ["Unable to decode input"]}`).
## Exploitation Flow (Proof of Concept)
1. An attacker creates a specially crafted SVG file (see `POC.svg`).
2. The attacker sends a request to the vulnerable endpoint, controlling the filename (e.g., `xss.svg`).
3. Despite a failed backend response, the file is saved to disk, for example, at `/storage/media/2025/08/xss.svg`.
4. The attacker delivers a link or embeds the path (e.g., in a forum post or email) to a victim, triggering the payload.
<img width="1920" height="921" alt="POC" src="https://github.com/user-attachments/assets/f71b2f93-910a-4d0b-9859-43a23c80d0dd" />
## Mitigation/Vendor Response
* **Vendor:** VaahCMS
* **Status:** **Acknowledged, fix pending**
* **Temporary Mitigation:**
* Disable SVG file uploads entirely in the application
* Implement server-side file type validation using MIME type checking **before** storing files
* Use a dedicated SVG sanitizer library (e.g., `enshrined/svg-sanitize` for PHP)
* Store uploaded files outside the web root and serve them through a secure proxy
* Implement automatic cleanup of files that fail validation
## 🔗 References
* https://github.com/webreinvent/vaahcms/issues/301
---
**Researcher:** Thaw Phone Nyo
**Date Disclosed:** 2025/10/8
文件快照
[4.0K] /data/pocs/72f4d6cdead40163a07b722d5479313618a9bf25
└── [2.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。