Cross-site Scripting (XSS) - Stored in kalcaddle/KodExplorer

Valid
Reported on May 17th 2021

BUG

Stored xss via file upload

STEP TO REPRODUCE

  1. First create image file with xss payload in name like xss"'><img src=x onerror=alert(22)>.jpg

  2. From your account upload the above file .

  3. Now mouseover over the uploaded file and see xss is executed

SUGGESTED FIX

Properly sanitize the uploaded filename before rendering .

VIDEO POC

check this recorded video https://drive.google.com/file/d/1iKDUWhYZxfUR5FGszDAimRb0x7NK0ms9/view?usp=sharing