Stored XSS Vulnerability in MetInfo CMS Webset Module via SVG Upload

Vulnerability Description

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

Affected Product

• Product: MetInfo CMS
• Version: 8.0
• Component: File Upload Functionality (app\system\include\module\uploadify.class.php)
• CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Technical Details

I deployed MetInfo CMS 8.0 locally using PHPStudy with the access URL http://metlnfo/. The source code is available at: https://www.metinfo.cn/download/89.html

After logging into the admin panel, I identified the website settings module at the URL path http://metlnfo/admin/#/webset/?head_tab_active=0 which allows uploading of various file types without proper validation.

Proof of Concept (PoC)

I created a malicious SVG file with the following content:

<svg xmlns="http://www.w3.org/2000/svg">
  <image href="x" onerror="alert('XSS测试')" />
</svg>

The file was successfully uploaded to the website settings module without any content validation or sanitization:

When viewing the uploaded file, the JavaScript code embedded in the SVG was automatically executed in the browser context:

After clicking the “Save” button, the malicious SVG file was permanently stored in the system, resulting in a stored XSS vulnerability that would trigger whenever any user accessed the affected settings page:

Vulnerable Code Analysis

The vulnerability exists in the file upload handling component (app\system\include\module\uploadify.class.php), which fails to:

1. Properly validate the content of SVG files before accepting them
2. Sanitize potentially dangerous elements and attributes in SVG files
3. Implement proper MIME type restrictions for uploaded files
4. Convert SVG files to safer image formats before storing them

The core issue is that the upload functionality in the website settings module allows SVG files to be uploaded and later served with the correct MIME type that enables JavaScript execution within the browser.

Impact

This vulnerability allows attackers with administrative access to:

1. Execute arbitrary JavaScript code in the context of other users’ browsers, including site administrators
2. Steal sensitive information such as session cookies and authentication tokens
3. Perform unauthorized actions on behalf of victims
4. Potentially escalate to more severe attacks by chaining with other vulnerabilities

While exploitation requires administrative access to the website settings feature, it creates a significant security risk as the stored XSS payload can affect any user viewing the compromised settings page, including higher-privileged administrators.

Remediation

To fix this vulnerability, the application should implement the following security measures:

1. Enhance the uploadify.class.php component to perform content validation and sanitization of SVG files
2. Strip potentially dangerous elements and attributes from SVG files
3. Consider converting SVG files to raster image formats (PNG, JPEG) during the upload process
4. Implement proper Content Security Policy (CSP) headers to prevent script execution from uploaded files
5. Serve SVG files with a MIME type that prevents script execution (e.g., image/svg+xml-sanitized)
6. Implement stricter file type checking that goes beyond extension validation

Timeline

• 2025-08-22: Vulnerability discovered
• 2025-08-22: Documentation and proof of concept created
• [Future Date]: Vulnerability reported to vendor
• [Future Date]: CVE assigned