Cross-site Scripting (XSS) - Stored in autolab/autolab
Mar 2nd 2022
Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher.
Steps to Reproduce (PoC)
- login to autolab
- go to https://DOMAIN/courses/COURSENAME/attachments/new
- upload the below file as something.svg
- go to https://DOMAIN/courses/COURSENAME/attachments
- view the file you just uploaded, you'll get the alert fn executed.
Fix / Mitigation
Check file types while uploading, and allow only corresponding types, It is recommended to have a whitelist based approach to check the file type in server-side and to reject/accept the file while uploading.
- Abhishek S (firstname.lastname@example.org)
- Vidhun K (email@example.com)
- Srikar R (firstname.lastname@example.org)
- Varun Nair (email@example.com)