Skip to content

Instantly share code, notes, and snippets.

@thezeekhan

thezeekhan/Skuul.md Secret

Created November 4, 2025 10:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save thezeekhan/7fc54fd44bc5f318be0350b367b2d8ff to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save thezeekhan/7fc54fd44bc5f318be0350b367b2d8ff to your computer and use it in GitHub Desktop.
Download ZIP
Open Redirect
Raw
Skuul.md

Skuul v2.6.5 – Stored XSS / Open Redirect via SVG File Upload

Summary

Skuul version 2.6.5 allows the upload of unsanitized SVG files in the Edit School section. Since the application serves uploaded SVGs directly without sanitization or content-type enforcement, attackers can embed JavaScript or redirection payloads inside SVGs. When a user or administrator opens the uploaded image in a new tab, the browser executes the embedded script, resulting in a stored cross-site scripting (XSS) or open redirect attack.

Vulnerability Details

SVG files support embedded scripts and event attributes (e.g., onload, onmouseover). The application does not validate or sanitize these files before storing and serving them. As a result, a malicious SVG containing JavaScript or redirection code will execute in the victim’s browser when accessed directly.

This can be abused to:

  • Redirect users to an external malicious site.
  • Execute JavaScript in the victim’s browser context.
  • Potentially perform phishing or session hijacking if served under the same domain.

Steps to Reproduce

  1. Log in to the Skuul http://127.0.0.1:8000/login as Admin

  2. Navigate to: http://sk.htb:8000/dashboard/schools/1/edit

  3. Upload the SVG file with following content:

    <?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" 
     onload="window.location='https://evil.com/'">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
</svg>

  4. If any user such as (Super Admin, Student, Teacher or Parent) Open Image in New Tab.

  5. The browser will automatically redirect to https://evil.com/.

Impact

  • Automatic redirection to attacker-controlled websites (phishing/malware risk).
  • Stored XSS possibility through malicious SVG payloads.
  • User credential theft or session hijacking if same-origin.
  • High impact if admin account is compromised, affecting all users.
  • Loss of user trust and potential reputational damage to the platform.

Recommendation

  • Disallow SVG uploads entirely, or
  • Sanitize SVGs using libraries like DOMPurify, sanitize-svg, or similar before storage.
  • Serve SVGs with the Content-Type: image/svg+xml header and force download where possible.
  • Store and serve only rasterized versions (e.g., PNG/JPEG).

Affected Version

  • Skuul v2.6.5

Credits

Zeeshan Khan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment