GHSA-pmww-v6c9-7p83: Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page

Piccolo’s admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page.

This access allows the following actions for example:

• The ability for an attacker to gain access to all data stored within the admin page
• The ability for an attacker to make any action within the admin page such as creating, modifying or deleting table records

As the SVG is executed from the context of an authenticated admin session, any actions they may be able to make can be made by the attacker.

N.b. The relevant session cookies are inaccessible from JavaScript due to httponly being set so all exploits must be present within the SVG file