| ଶୀର୍ଷକ | Part-DB 1.17.0 Cross-Site Scripting |
|---|
| ବର୍ଣ୍ଣନା | A Stored Cross-Site Scripting (XSS) vulnerability in the Change Profile Picture feature was found. The application allows users to upload .svg files as avatars. If a user uploads an SVG file containing embedded JavaScript, the script is executed when the image is accessed directly, which can lead to serious issues such as Account Takeover.
The vendor was contacted on May 11, 2025 and the issue was fixed in version 1.17.1 on May 18, 2025.
This vulnerability becomes more critical when exploited against administrator accounts. If an admin views the malicious image, the embedded script executes in their context. Since administrators have permission to modify user accounts, a malicious payload could, for example, automatically submit a POST request to /en/user/2/edit, changing the admin's account data and leading to a full account takeover.
Steps to Reproduce:
1. Log in with a user account that has permission to edit their profile picture.
2. Upload an SVG file containing malicious JavaScript (a proof-of-concept txt file is attached, change to svg when uploading).
3. Have an administrator view the image (via direct link or the Users tab).
4. The script will execute in the admin's context, potentially altering their account data.
You can find a detail description at https://github.com/b1d0ws/CVEs/blob/main/CVE-2025-XXXX.md. |
|---|
| ଉତ୍ସ | ⚠️ https://github.com/Part-DB/Part-DB-server/releases/tag/v1.17.1 |
|---|
| ଉପଭୋକ୍ତା | b1d0ws (UID 74336) |
|---|
| ଦାଖଲ | 05/18/2025 11:29 PM (9 ମାସ[ସମ୍ପାଦନା] ago) |
|---|
| ମଧ୍ୟମ ଧରଣର | 05/20/2025 03:37 PM (2 days later) |
|---|
| ସ୍ଥିତି | ଗ୍ରହଣ କରାଯାଇଛି |
|---|
| VulDB ଏଣ୍ଟ୍ରି | 309661 [Part-DB ଯେପର୍ଯ୍ୟନ୍ତ 1.17.0 Profile Picture Feature AttachmentSubmitHandler.php handleUpload attachment କ୍ରସ୍ ସାଇଟ୍ ସ୍କ୍ରିପ୍ଟିଂ] |
|---|
| ପଏଣ୍ଟ | 20 |
|---|