Stored XSS Vulnerability in MetInfo CMS Column Module

Vulnerability Description

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

Affected Product

• Product: MetInfo CMS
• Version: 8.0
• Component: Column Management Module (app\system\column\admin\index.class.php)
• CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Technical Details

I deployed MetInfo CMS 8.0 locally using PHPStudy with the access URL http://metlnfo/. The source code is available at: https://www.metinfo.cn/download/89.html

After logging into the admin panel, I accessed the column management module at http://metlnfo/admin/#/column which utilizes the vulnerable component.

Proof of Concept (PoC)

After accessing the column management module, I selected the settings option which revealed a file upload functionality:

I created a malicious SVG file with the following content:

<svg xmlns="http://www.w3.org/2000/svg">
  <image href="x" onerror="alert('XSS测试')" />
</svg>

The file was successfully uploaded without any content validation or sanitization:

When viewing the uploaded file, the JavaScript code embedded in the SVG was automatically executed in the browser context:

After clicking the “Save” button, the malicious SVG file was permanently stored in the system, resulting in a stored XSS vulnerability:

Vulnerable Code Analysis

The vulnerability exists in the column management module’s file upload handling, which fails to:

1. Properly validate the content of SVG files before accepting them
2. Sanitize potentially dangerous elements and attributes in SVG files
3. Implement proper MIME type restrictions for uploaded files
4. Convert SVG files to safer image formats before storing them

The core issue is that the column management module allows SVG files to be uploaded and later served with the correct MIME type that enables JavaScript execution within the browser.

Impact

This vulnerability allows attackers with administrative access to:

1. Execute arbitrary JavaScript code in the context of other users’ browsers, including administrators
2. Steal sensitive information such as session cookies and authentication tokens
3. Perform unauthorized actions on behalf of victims
4. Potentially escalate to more severe attacks by chaining with other vulnerabilities

Since the column management is a core feature accessed by administrators, this vulnerability could lead to complete administrative account compromise.

Remediation

To fix this vulnerability, the application should implement the following security measures:

1. Enhance the column management module to perform content validation and sanitization of SVG files
2. Strip potentially dangerous elements and attributes from SVG files
3. Consider converting SVG files to raster image formats (PNG, JPEG) during the upload process
4. Implement proper Content Security Policy (CSP) headers to prevent script execution from uploaded files
5. Serve SVG files with a MIME type that prevents script execution (e.g., image/svg+xml-sanitized)

Timeline

• 2025-08-22: Vulnerability discovered
• 2025-08-22: Documentation and proof of concept created
• [Future Date]: Vulnerability reported to vendor
• [Future Date]: CVE assigned