Summary
A stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG.
Details
It is possible to upload an SVG file containing arbitrary JavaScript via the media upload feature, then use multiple techniques to redirect the user to or embed the malicious SVG within the webpage, executing the JavaScript upon page load where the SVG is rendered.
Uploaded files should undergo sanitisation to remove specific attributes, such as <script> tags and arbitrary JavaScript. A proven sanitisation library should be used to perform this operation.
Fixes
Patched Versions: >=1.43.3
- SVG files uploaded by a user and accessed via the /api/user-medias/ endpoint are sanitised using the "isomorphic-dompurify" package, completely stripping arbitrary inline event handlers (such as
onload) and JavaScript before being returned to the user's browser.
- Default sandbox attributes have been added to the iFrame item to prevent potentially malicious or unwanted content from being loaded within the iFrame.
Impact
This vulnerability impacts any authenticated user with access to a board, or any unauthenticated user if the board is made public. The "attacker" would need to have permissions to upload media and edit a board, which could be achieved through having access to an account that is part of the credentials-admin group, or a custom made group that gives those specific permissions to its members.
This vulnerability can be exploited for phishing, malware distribution, or full administrator privilege escalation.
acfirthh Reporter
manuel-rw Remediation developer
Meierschlumpf Remediation reviewer
Summary
A stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG.
Details
It is possible to upload an SVG file containing arbitrary JavaScript via the media upload feature, then use multiple techniques to redirect the user to or embed the malicious SVG within the webpage, executing the JavaScript upon page load where the SVG is rendered.
Uploaded files should undergo sanitisation to remove specific attributes, such as
<script>tags and arbitrary JavaScript. A proven sanitisation library should be used to perform this operation.Fixes
Patched Versions:
>=1.43.3onload) and JavaScript before being returned to the user's browser.Impact
This vulnerability impacts any authenticated user with access to a board, or any unauthenticated user if the board is made public. The "attacker" would need to have permissions to upload media and edit a board, which could be achieved through having access to an account that is part of the credentials-admin group, or a custom made group that gives those specific permissions to its members.
This vulnerability can be exploited for phishing, malware distribution, or full administrator privilege escalation.