Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page. This access allows the following actions for example: The ability for an attacker to gain access to all data stored within the …