CMDBuild Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CMDBuild version 3.3.2. This vulnerability allows authenticated attackers to inject arbitrary web scripts or HTML. The issue arises in card creation and file upload endpoints, where XSS payloads can be executed when other users view the affected records or preview attachments.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected record or attachment.

Reproduction

To reproduce this vulnerability, log into CMDBuild 3.3.2 as a user with low privileges. Navigate to the 'Employee' section under 'Basic Archives' and add a new employee card. Inject an XSS payload into the 'Code', 'Surname', and 'Name' fields. Once the card is saved, the injected script will execute when the 'Open Relation Graph' option is selected. Alternatively, to exploit the file upload vector, go to the 'Workplace' section and add a new workplace card. Upload an SVG file containing an XSS payload as an attachment. After uploading, preview the attachment, which will trigger the execution of the injected script.