GHSA-35xm-qvjg-8m42

Summary

A stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false.

Details

The issue is in the icon rendering path:

• packages/web/src/icons/FontIcon.svelte
  • treats any icon string starting with <svg as inline SVG
  • renders it with {@html iconValue} without sanitization
• packages/api/src/controllers/apps.js
  • loads app definitions from disk and returns applicationIcon to clients unchanged
• packages/web/src/appobj/DatabaseAppObject.svelte
  • passes applicationIcon into additionalIcons
• packages/web/src/appobj/AppObjectCore.svelte
  • renders those icons through <FontIcon icon={ic.icon}>

This makes applicationIcon a stored XSS sink.

An attacker who can create or modify an app definition can store a payload in applicationIcon. When another user views a matching database/app entry, the payload executes in that user's session.

The impact is especially severe in Electron desktop because:

• app/src/electron.js
  • nodeIntegration: true
  • contextIsolation: false

With that configuration, JavaScript gained through XSS can access Node/Electron APIs, making local code execution possible.

PoC

This was reproduced by creating an app definition with a malicious applicationIcon and making it match a visible database.

Example payload:

{
  "applicationName": "XSS PoC",
  "applicationIcon": "<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"18\" height=\"18\"><circle cx=\"9\" cy=\"9\" r=\"8\" fill=\"red\"/></svg><img src=x onerror=\"alert('xss-fired')\">",
  "usageRules": [
    {
      "serverHostsList": ["postgres"],
      "databaseNamesList": ["dbgate"]
    }
  ]
}

After saving this app definition and...