Advisory: Improper Input Sanitization Leading to XSS and Admin Account Takeover
Date: Aug 13, 2025
Severity: High
Write Up - PoC - https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdf
Acknowledgements
Summary
Improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover.
Proof of Concept (PoC)
To recreate this finding, please refer to our detailed write-up:
Full Write-Up & Reproduction Steps
Description
While the dashboard blocks many common inline XSS payloads, the platform permits uploading SVGs with embedded scripts—an execution vector in many browsers when the SVG is rendered or embedded. The application also allows the <embed> tag, enabling attackers to load the malicious SVG wherever rich content is rendered. Chaining these issues yields reliable JavaScript execution on any user who views the affected page, including administrators.
Details
- The platform allows uploading SVGs with embedded scripts, bypassing sanitization.
<embed> tags are permitted, allowing malicious SVGs to execute wherever rich content is rendered.- Combined, these issues allow JavaScript execution on users who view the content, including high-privilege administrators.
Impact
This is stored/reflective XSS via uploaded assets and embedding, enabling session hijacking, credential theft, and privilege escalation to admin. Any user able to upload assets or embed content can compromise high-privilege accounts that view the content.
References
Mmo-kali Finder
OrlandoCompC Finder
Gikyon Finder
Advisory: Improper Input Sanitization Leading to XSS and Admin Account Takeover
Date: Aug 13, 2025
Severity: High
Write Up - PoC - https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdf
Acknowledgements
Summary
Improper sanitization across the application allows XSS via uploaded SVG (and via allowed
<embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover.Proof of Concept (PoC)
To recreate this finding, please refer to our detailed write-up:
Full Write-Up & Reproduction Steps
Description
While the dashboard blocks many common inline XSS payloads, the platform permits uploading SVGs with embedded scripts—an execution vector in many browsers when the SVG is rendered or embedded. The application also allows the
<embed>tag, enabling attackers to load the malicious SVG wherever rich content is rendered. Chaining these issues yields reliable JavaScript execution on any user who views the affected page, including administrators.Details
<embed>tags are permitted, allowing malicious SVGs to execute wherever rich content is rendered.Impact
This is stored/reflective XSS via uploaded assets and embedding, enabling session hijacking, credential theft, and privilege escalation to admin. Any user able to upload assets or embed content can compromise high-privilege accounts that view the content.
References