Cross Site Scripting Vulnerability on "Files" upload file SVG in Monstra 3.0.4

**Describe the bug**
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Files" feature.
Monstra application allows the upload of a SVG file extension (which is also an image type).
** Reproduce**
Steps to reproduce the behavior:
1. Login into the panel Monstra
2. Go to "/admin/index.php?id=filesmanager&path=uploads/"
3. Upload file abc.svg:

![2](https://user-images.githubusercontent.com/29293812/82776943-c7954700-9e76-11ea-80f5-6936c577e057.PNG)

4.  Open file upload : "/public/uploads/abc.svg"
5. View the preview to trigger XSS.
6. View the preview to get in request and such Stored XSS.
**Impact**
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
**Screenshots**
![1](https://user-images.githubusercontent.com/29293812/82776716-11316200-9e76-11ea-875c-9104573adf7f.PNG)
**Desktop (please complete the following information):**
- OS: Kali
- Browser: Firefox
- Version of Browser: 68.6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cross Site Scripting Vulnerability on "Files" upload file SVG in Monstra 3.0.4 #467

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Cross Site Scripting Vulnerability on "Files" upload file SVG in Monstra 3.0.4 #467

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions