Cross-site Scripting (XSS) - Stored in knadh/listmonk

Valid
Reported on May 18th 2021

💥 BUG

Stored xss via file upload

💥 SUMMURY

uploaded file extension only checked in client-side javascript. It must be also checked in server side so that user cant upload html file instead of image .

💥 STEP TO REPRODUCE

  1. From your account goto http://localhost:9000/campaigns/media and upload a image . Now change the filename to html file and put xss payload in the browser network tab. now forward the request .
  2. Now visit the uploaded file and see xss is executed

💥 VIDEO

https://drive.google.com/file/d/1xgNfsZ8-Roltnhgj_9zriTZvMI7Dckbb/view?usp=sharing