Listen to this Post
The vulnerability exists within the avatar upload functionality of FormCMS. The application fails to properly validate and sanitize user-supplied file uploads, specifically the file type and its contents. An authenticated attacker can upload a crafted `.html` file containing malicious JavaScript code instead of a legitimate image. The application stores this file on the server and assigns it a predictable, publicly accessible URL. This creates a stored XSS payload. When an administrative or other privileged user later views a page that references this malicious file, such as within a user management interface displaying avatars, the HTML file is fetched and the embedded JavaScript code is executed within the security context of the victim’s browser session.
Platform: FormCMS
Version: v0.5.5
Vulnerability: Stored XSS
Severity: Moderate
date: 2025-08-28
Prediction: 2025-09-11
What Undercode Say:
curl -X POST -F "[email protected]" -H "Cookie: <user_session_cookie>" http://<target>/upload/avatar
<!-- malicious.html -->
<script>alert('XSS')</script>
How Exploit:
Upload malicious HTML file via avatar feature.
Protection from this CVE:
Implement file type whitelisting. Sanitize file content.
Impact:
Privilege escalation, Session hijacking.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
