View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007937 | OXID eShop (all versions) | 4.04. Security | public | 2026-04-29 16:06 | 2026-05-27 10:01 |
| Reporter | michael_keiluweit | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 7.5.0 | ||||
| Fixed in Version | 7.4.1 | ||||
| Summary | 0007937: Stored XSS via SVG upload in media-library-module (executes on direct SVG URL) | ||||
| Description | Media library accepts `.svg` uploads without sanitization. Direct request to the stored SVG is served as `image/svg+xml`, executing embedded `<script>` in the shop origin. Expected Reject upload, sanitize content, or serve with non-active content type / `Content-Disposition: attachment`. Actual Browser executes the embedded JavaScript in the shop's origin (cookie / session accessible). Impact Anyone with upload access can host JS on a shop URL. A victim following the link executes the script under the shop origin -> session theft, authenticated actions. | ||||
| Steps To Reproduce | 1. Log in to admin backend. 2. Open Media library and upload an SVG containing `<script>alert(document.cookie)</script>`. (see attachement) 3. Upload returns `{"success": true}`; file stored at `out/pictures/ddmedia/<file>.svg`. 4. Open `https://<shop>/out/pictures/ddmedia/<file>.svg` in the browser. | ||||
| Additional Information | Only the direct-URL vector was reproduced. Embedding via WYSIWYG or media-library thumbnails did not trigger the script (both use `<img>`, which does not execute SVG scripts). | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
