CVE-2021-47955 Overview
CVE-2021-47955 is a stored cross-site scripting (XSS) vulnerability in CouchCMS 2.2.1. The flaw resides in the file upload functionality exposed through the browse.php endpoint. Authenticated attackers can upload Scalable Vector Graphics (SVG) files containing embedded <script> tags. When another user accesses or previews the uploaded file, the browser parses the SVG and executes the attacker-supplied JavaScript in the context of the CouchCMS application. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim browsers, enabling session hijacking, administrative action abuse, and content tampering against CouchCMS users.
Affected Products
- CouchCMS 2.2.1
- CouchCMS file upload handler (browse.php)
- Deployments accepting unrestricted SVG uploads
Discovery Timeline
- 2026-05-16 - CVE-2021-47955 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47955
Vulnerability Analysis
The vulnerability exists in the file upload workflow handled by browse.php in CouchCMS 2.2.1. The endpoint accepts SVG files without sanitizing or stripping embedded scriptable content. SVG is an XML-based image format that natively supports <script> elements and event handlers such as onload. Browsers execute these scripts when the SVG is rendered inline.
An authenticated attacker uploads a crafted SVG file through the CouchCMS administrative interface. When an administrator or another user previews or opens the file, the browser executes the embedded JavaScript under the application origin. This grants the attacker access to session cookies, cross-site request forgery (CSRF) tokens, and any client-side privileges held by the victim.
The exploitation requires user interaction, which limits drive-by abuse, but the persistent nature of the upload means any future visit to the file triggers the payload.
Root Cause
The root cause is missing content validation and sanitization for uploaded SVG files. CouchCMS treats SVG as a benign image type and serves the raw file with an XML or image MIME type that browsers render inline. The application does not strip <script> tags, event handler attributes, or external entity references from the SVG payload before storage or delivery.
Attack Vector
The attacker authenticates to CouchCMS with any account permitted to upload files. They craft an SVG document containing a <script> element that executes attacker-controlled JavaScript. The file is uploaded via the browse.php upload handler and stored on the server. When a privileged user accesses the uploaded asset through the admin file browser or a public URL, the browser executes the embedded script. The script can exfiltrate cookies, issue authenticated requests to CouchCMS, or modify rendered content. See the VulnCheck CouchCMS Advisory and Exploit-DB entry #49636 for proof-of-concept details.
Detection Methods for CVE-2021-47955
Indicators of Compromise
- SVG files uploaded to CouchCMS containing <script> tags, javascript: URIs, or on* event handler attributes
- Unexpected outbound HTTP requests from administrator browsers to attacker-controlled domains shortly after viewing the file browser
- New or modified files with the .svg extension in CouchCMS upload directories
- Anomalous administrator account activity following a file preview, such as new admin users or modified content
Detection Strategies
- Inspect uploaded SVG files for XML elements <script>, <foreignObject>, and event handler attributes using static analysis at the web application firewall (WAF) or storage layer
- Monitor browse.php POST requests for file uploads with the image/svg+xml content type and inspect payload contents
- Correlate file upload events with subsequent administrative session activity to identify session hijack indicators
Monitoring Recommendations
- Enable web server access logging for all requests to browse.php and retain logs for forensic review
- Alert on responses serving .svg files with Content-Type: image/svg+xml when accessed by privileged sessions
- Track browser-side telemetry for unexpected script execution origins on CouchCMS administrative pages
How to Mitigate CVE-2021-47955
Immediate Actions Required
- Disable SVG uploads in CouchCMS until a sanitization control is in place
- Audit existing uploaded SVG files and remove any containing scriptable elements or event handlers
- Restrict file upload privileges to trusted administrative accounts only
- Rotate session secrets and force re-authentication for accounts that may have viewed malicious uploads
Patch Information
No official vendor patch is referenced in the NVD entry. Track the upstream project at the GitHub CouchCMS Repository for fixes and apply the latest available release. Until a patch is published, apply the workarounds below.
Workarounds
- Configure the web server to serve .svg files with Content-Disposition: attachment to prevent inline browser rendering
- Add a Content Security Policy (CSP) header that disallows inline scripts on CouchCMS administrative pages
- Use a server-side SVG sanitizer to strip <script>, <foreignObject>, and on* attributes before storing uploads
- Block the image/svg+xml MIME type at the upload boundary if SVG support is not required
# Apache configuration to force SVG downloads instead of inline rendering
<FilesMatch "\.svg$">
Header set Content-Disposition "attachment"
Header set Content-Security-Policy "default-src 'none'; script-src 'none'"
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
