Featured image of post CVE-2025-7870
XSS Moderate I-Diário Security WebApp

CVE-2025-7870

Cross-Site Scripting (XSS) Stored (SVG)

CVE-2025-7870: Cross-Site Scripting (XSS) Storage Injection via SVG Upload

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-7870

Summary

An attacker can upload a malicious SVG file containing embedded JavaScript that is executed when the file is accessed directly. This results in Stored Cross-Site Scripting (XSS).

Details

The justificativas-de-falta endpoint allows users to upload files after upload a crafted svg the XSS could be trigger when open the file.

Payload:

1
2
3
4
5

<svg xmlns="http://www.w3.org/2000/svg" fill="none">
  <script>
    alert("This is an XSS-POC from CVEHUNTERS");
  </script>
</svg>

PoC

Create the file with the payload and upload in the justificativas-de-falta endpoint:

After that open the file to trigger the XSS

Impact

  • Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
  • Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
  • Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
  • Stealing credentials: Attackers can steal a user's credentials.
  • Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
  • Defacing websites: Attackers can deface a website by altering its content.
  • Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
  • Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/CVE-Hunters/CVE/blob/main/i-diario/CVE-2025-7870.md

Finder:

Natan Maia Morette

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy