Overview
The “vc-platform(VirtoCommerce)” application versions v2.1 to v3.79.0 is affected by a stored XSS vulnerability via SVG file upload in the Asset Upload feature. This allows low privileged application users to store malicious scripts in the uploaded file. These scripts are executed in a victim’s browser when they open the uploaded file.
Details
The “vc-platform(VirtoCommerce)” application is affected by a stored XSS vulnerability via SVG file upload in the Asset Upload feature that allows low privileged application users to store malicious scripts in the uploaded file. These scripts are executed in a victim’s browser when they open the uploaded file.
PoC Details
Login to the application with a manager role user that has administrative privileges for the electronics store. This is considered low privileges (this is not an administrative role of the application). Click on the “More” option on the left pane and then click the “Content” option. Click on the “Pages” option in the Electronics store section, then click the “Upload” option and then click the icon in Asset Upload section to upload a file. Then select the malicious SVG file (that contains our payload, see PoC Code) and upload it. Click on the three dots next to the uploaded image and copy the file link. Now open a new tab in the browser and navigate to the copied link, and the XSS will be triggered.
PoC Code
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
Affected Environments
v2.1 to 3.79.0
Prevention
No fix