technique://Session Hijack

SVG with embedded JavaScript uploads to a ticketing system. When the admin previews the attachment, XSS fires in their browser and exfiltrates session cookie. Cookie replay gives admin access and SSH credentials.