GHSA-mrwr-2945-fr22

Source
https://github.com/advisories/GHSA-mrwr-2945-fr22
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-mrwr-2945-fr22/GHSA-mrwr-2945-fr22.json
Aliases
Published
2021-06-22T15:17:28Z
Modified
2023-11-08T04:05:53.320069Z
Details

In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" that will point to http://localhost/pagekit/storage/exp.svg. When a user comes along to click that link, it will trigger a XSS attack.

References

Affected packages

Packagist / pagekit/pagekit

Package

Name
pagekit/pagekit

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Last affected
1.0.18

Affected versions

0.*

0.8.8
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.11.0
0.11.1
0.11.2
0.11.3

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18