Cross-site Scripting (XSS) - Stored in autolab/autolab
Mar 2nd 2022
Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher.
Steps to Reproduce (PoC)
- login to autolab
- go to https://DOMAIN/courses/COURSENAME/attachments/new
- upload the below file as something.svg
- go to https://DOMAIN/courses/COURSENAME/attachments
- view the file you just uploaded, you'll get the alert fn executed.
Fix / Mitigation
Check file types while uploading, and allow only corresponding types, It is recommended to have a whitelist based approach to check the file type in server-side and to reject/accept the file while uploading.
- Abhishek S (email@example.com)
- Vidhun K (firstname.lastname@example.org)
- Srikar R (email@example.com)
- Varun Nair (firstname.lastname@example.org)