openDCIM Stored Cross-Site Scripting Vulnerability in SVG File Upload

A stored cross-site scripting vulnerability has been identified in openDCIM version 23.04. This issue arises in the SVG file handling component, specifically within the file upload process. The vulnerability is triggered by manipulating the 'Filedata' argument, allowing the injection of malicious JavaScript into uploaded SVG files. When these files are accessed later, the embedded scripts execute in the user's browser, potentially leading to the theft of cookies, session tokens, or other sensitive information. This vulnerability could be particularly damaging if an administrator views the malicious file, as it may compromise privileged accounts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary scripts in the browsers of users who view the infected SVG files. This could result in the theft of cookies, session tokens, or other sensitive data, and could compromise privileged accounts if an administrator views the malicious file.

Reproduction

To reproduce this vulnerability, log into the openDCIM application and navigate to the image upload management page. Upload an SVG file that has been crafted to include a malicious script, such as one that triggers an alert. Once the file is uploaded, it will be accessible through the application's asset management system. Viewing this file will execute the injected script, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, it is recommended to block SVG uploads or any file formats that can contain executable code. Additionally, uploaded SVG files should be sanitized to remove any embedded JavaScript and to disable script execution. Implementing a strict Content Security Policy can also help limit unauthorized script execution.