CVE-2021-47783 Overview
CVE-2021-47783 is a file upload vulnerability in Phpwcms 1.9.30, an open-source web content management system. The flaw allows authenticated attackers to upload crafted Scalable Vector Graphics (SVG) files containing embedded JavaScript through the multiple file upload feature. When other users view the uploaded SVG content, the embedded scripts execute in their browser context, enabling stored cross-site scripting (XSS) attacks. The vulnerability is categorized under CWE-434 — Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated attackers can upload malicious SVG payloads to execute JavaScript in victim browsers, enabling session theft, credential harvesting, and unauthorized actions in the Phpwcms application.
Affected Products
- Phpwcms 1.9.30
- Phpwcms deployments using the multiple file upload feature
- Web applications referencing user-supplied SVG assets from Phpwcms
Discovery Timeline
- 2026-01-16 - CVE-2021-47783 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2021-47783
Vulnerability Analysis
The vulnerability resides in the multiple file upload handler in Phpwcms 1.9.30. The application accepts SVG files without enforcing content inspection or sanitization on embedded markup. Because SVG is an XML-based format, files may contain <script> elements or event handlers such as onload and onclick that browsers execute when rendering the image inline.
An authenticated attacker uploads a crafted SVG file through the file management interface. When another authenticated user or administrator navigates to the resource, the browser parses the SVG and executes the attacker-controlled JavaScript in the origin of the Phpwcms application. The session context of the victim is exposed to the attacker.
Exploitation requires valid authentication, which limits the attack surface to users with upload privileges. However, low-privileged content editors can target administrators, escalating impact beyond their assigned role.
Root Cause
The root cause is the absence of MIME-type validation, content sanitization, and Content-Security-Policy enforcement on uploaded SVG files. The application treats SVG uploads as image data without recognizing that SVG documents can carry executable script content. See the VulnCheck Advisory for PHPWCMS for technical details.
Attack Vector
The attack vector is network-based and requires authentication. The attacker prepares an SVG document containing a JavaScript payload inside a <script> block or within an event attribute. The attacker submits the file through the multiple file upload feature. Subsequent access to the file URL or any rendered preview triggers script execution under the Phpwcms origin. Refer to Exploit-DB #50363 for the published proof of concept.
Detection Methods for CVE-2021-47783
Indicators of Compromise
- Uploaded files with .svg extension containing <script> tags or on* event attribute handlers
- Unexpected SVG assets in the Phpwcms uploads directory created by non-administrative accounts
- Browser console errors or unexpected outbound requests originating from rendered SVG resources
- Session token or cookie exfiltration to attacker-controlled domains following SVG access
Detection Strategies
- Scan the Phpwcms upload directory for SVG files containing <script, javascript:, or onload= substrings
- Inspect web server access logs for GET requests to user-uploaded .svg files followed by outbound traffic to unknown hosts
- Apply web application firewall (WAF) rules that block SVG uploads containing executable XML elements
Monitoring Recommendations
- Log all file upload events with uploader identity, filename, and MIME type for retroactive review
- Alert on creation of SVG files within Phpwcms media directories by accounts without administrative roles
- Monitor browser-side telemetry for cross-origin requests originating from the Phpwcms domain
How to Mitigate CVE-2021-47783
Immediate Actions Required
- Disable SVG uploads in Phpwcms file upload configuration until the application is patched
- Audit existing uploads for SVG files containing script content and remove any malicious files
- Restrict file upload permissions to trusted administrator accounts only
- Serve user-uploaded files from a separate sandboxed domain to contain XSS impact
Patch Information
No vendor advisory URL is published in the CVE record. Administrators should consult the PHPWCMS Official Site for the latest release and apply any version newer than 1.9.30 that addresses unrestricted file upload behavior.
Workarounds
- Configure the web server to set Content-Disposition: attachment on SVG responses so browsers download rather than render the files
- Apply a strict Content-Security-Policy header that disallows inline scripts on pages serving user-uploaded content
- Block .svg MIME types at the upload filter and reject files whose XML body contains <script> or event-handler attributes
- Implement server-side SVG sanitization using a library that strips script elements and event attributes before storage
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
