CENSUS has discovered a stored cross site scripting (XSS) vulnerability in the Squidex "headless" open source CMS framework.
The vulnerability affects all versions of Squidex prior to 7.9.0 and enables privilege escalation affecting authenticated victim users.
The Squidex development team has addressed the issue in version 7.9.0 of the software.
Charalampos Maraziaris of CENSUS identified that the SVG asset filtering mechanism intended to stop XSS attacks through uploaded SVG images is insufficient, resulting to stored XSS attacks.
Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset.
When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code.
The code executed when uploading an SVG is the following:
// File: Squidex/squidex-7.8.2/backend/src/Squidex.Domain.Apps.Entities/Assets/SvgAssetMetadataSource.cs
15: public sealed class SvgAssetMetadataSource : IAssetMetadataSource
using (var reader = new StreamReader(command.File.OpenRead()))
var text = await reader.ReadToEndAsync();
38: if (!text.IsValidSvg())
throw new ValidationException(T.Get("validation.notAnValidSvg"));
The IsValidSvg method is defined in Squidex/libs/text/Squidex.Text/HtmlSvgExtensions.cs as:
// File: Squidex/libs/text/Squidex.Text/HtmlSvgExtensions.cs
12: public static class HtmlSvgExtensions
private static readonly HashSet InvalidSvgElements = new HashSet(StringComparer.OrdinalIgnoreCase)
19: public static bool IsValidSvg(this string html)
var document = LoadHtml(html);
46: private static bool IsValid(HtmlNode node)
54: if (InvalidSvgElements.Contains(node.Name))
for (var i = 0; i < node.Attributes.Count; i++)
var attribute = node.Attributes[i];
65: if (attribute.Name.StartsWith("on", StringComparison.OrdinalIgnoreCase))
The validation logic consists of traversing the HTML nodes in the DOM.
In order for the validation to succeed, 2 conditions must be met:
- No HTML tags included in a "blacklist" called "InvalidSvgElements" are present (line 54). This list only contains the element "script".
- No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65).
If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded.
As a Proof-of-Concept, the following SVG file was successfully uploaded, evading the validation efforts:
<svg width="500" height="500" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<circle cx="50" cy="50" r="45" fill="green" id="foo"/>
<foreignObject width="500" height="500">
Authenticated adversaries with the "assets.create" permission can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS.
The impact of this issue is magnified due to the fact that the SVG image is rendered in-browser, under the Squidex instance's domain (in default installations).
|CVE Allocation:||October 29, 2023|
|Vendor Contact:||October 30, 2023|
|Vendor Confirmation:||October 30, 2023|
|Vendor Fix Released:||November 7, 2023|
|Public Advisory:||November 8, 2023|