Stored XSS via SVG file upload

[tiemio]

Describe the bug

The vulnerability is not really critical, since it does not apply to the entire web application. But it does execute when the URL is navigated to, allowing the SVG file to execute a cross-site scripting attack. This could be used to either steal a session (when the cookies are not correctly configured) or to possibly execute a client side request.

I'd recommend to parse the uploaded data from JavaScript to prevent execution.

Steps to reproduce

I created a file called xss6.svg, where it contains the following code:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
</svg>

The alert(document.domain) should provide the domain where the XSS is executed.

The paperclip button is clicked:

With the button clicked, the file xss6.svg is uploaded:

After clicking the send button, the post is placed. The XSS does not execute on the home page. But as soon as the image is right-clicked and the link of the image is copied, this link can be shared:

When this link is opened, the XSS gets executed and views the current domain (I deployed it via Pikapods):

Hopefully this helps making memos more secure.

The version of Memos you're using

tested on v0.24.3 and v0.24.2

Screenshots or additional context

No response

[tiemio]

I did first create it at https://github.com/usememos/memos/security, but noticed this was not the correct procedure for Memos.

[boojack]

Thanks for the reporting, it should be fixed within https://github.com/usememos/memos/commit/46d5307d7f210067b46e07400a728fa9095803d9.