Insecure file upload - Stored cross-site scripting 

Issue date: 13-12-2021
Affects versions: 14.6, 13.4, 12.6

Security Issue ID

SECURITY-265

 

Affected Product Version(s)

14.6.3, 13.4.10, 12.6.18 and previous releases.


Severity 

high

 

Description

We have identified that it is possible to upload an SVG file with an XSS payload. This file could be then browsed within the web folder. It means that an authenticated attacker could launch a Cross Site Scripting attack via inserting his malicious JavaScript code into an uploaded SVG file. Authenticated victim then could visit the uploaded file and an attacker could for example access sensitive victim's data and functionality. 

A user cannot upload anymore a JPG file and then upload a malicious SVG file via an editing upload of that JPG file. 

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 14.7.0 or 13.4.11, or 12.6.19.