/systemConfig/upload endpoint is vulnerable to stored XSS attacks #139
Description
Affected Versions
version ≤ 3.5 (latest version)
Impact
jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users and causing severe harm.
Attack Steps
- Upload a PDF file containing malicious XSS payload through
/systemConfig/upload - Access the static URL to trigger the XSS. Note: This static URL is accessible to all users, expanding the attack surface
Vulnerability Cause
The uploadlocal function allows uploading files with .pdf extension without validating whether they contain malicious XSS payloads.
Remediation Recommendations:
- Based on the website's functionality, there is no need to upload PDF files; directly remove support for this file extension.
- Add validation to check for malicious XSS payloads within PDF files.