CVE-2024-57277

InnoShop versions 0.3.8 and earlier contain a stored cross-site scripting (XSS) vulnerability in the user profile image upload feature. The application fails to sanitize SVG files, allowing an attacker to upload a crafted SVG containing embedded JavaScript. When the uploaded image is viewed by any user (including administrators), the script executes in the victim's browser. [1]

The attack can be performed by any authenticated user. The attacker navigates to Profile > Edit Profile and uploads a malicious SVG file. The SVG includes a ` tag that reads document.cookie` and can exfiltrate session cookies. The attack does not require any special privileges beyond a valid user account. [1][3]

Successful exploitation allows an attacker to steal the session cookie of any user who views the malicious image. This cookie can be used to impersonate the victim and perform actions on their behalf, potentially leading to account takeover. If a low-privileged user uploads the SVG and an administrator views it, the attacker can steal the admin's session. [1][3]

The vendor has addressed the issue in commit 7ccc90d2b549e14460efc4f758b01adbd080e7ff by restricting the allowed image MIME types for front-end users to exclude SVG. The fix was applied to the file innopacks/front/src/Requests and is included in the repository. Users should update to a version containing this commit or apply a similar validation rule to prevent SVG uploads. [2]