xss with svg upload
[Please describe the process to reproduce the vulnerability]
- make a new report
- upload and go to the file link you will get the alert
Possible cause of vulnerability
How to patch
you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.
For more details, refer to the following articles: Preventing XSS Attacks and How to Prevent DOM-based Cross-site Scripting. You can also find useful information in the XSS Prevention Cheat Sheet maintained by the OWASP organization.
Expected results and impact
Other notes and references
that is the poc code of svg
i made nthore report just to make a POC for that
the report id is : https://bugcamp.io/tickets/4e615aa96f853f7aafa08c0fc59a1482
The ticket has accepted.
The vulnerabiltiy has caused by developer’s mistake that is omitted validation routine.
Patch in progress.
We decided severity of this report as “LOW”. Because, the XSS payload is triggered at “static.bugcamp.io” that is out of boundary of bounty program policy, and it used for only static file serving.
We considered for how the vulnerabilty is misusage, variously. But there was no affective scenario.
If you have provable impactive scenario (like account takeover, etc) Please let us know. than, we’ll re-evaluate this ticket.
But there was some problem on payment method as I’m Egyptian.
And the support team tall me they you can send it to my bank if the total bounty is greater than 50000
Okay, we also considering for payment method for foreigner.
Please email to “email@example.com”.
we can discuss about it.
The Patch has deployed.
Please make sure that the vulnerability has been patched properly.
Reward is ￦30,000
hello team I saw the patch but I can bypass it with another function
the Reward of ￦30,000 is so low for a bug like XSS