fcba_zzm ics-park Smart Park Management System Unrestricted File Upload Vulnerability Leading to Stored Cross-Site Scripting

A vulnerability in fcba_zzm ics-park Smart Park Management System version 2.0 has been identified, stemming from improper validation of uploaded file types. This flaw resides in the file upload module, specifically within FileUploadUtils.java. The system's inadequate checks allow files with dangerous extensions, such as .html and .xml, to be uploaded. Once these files are accessed, they are rendered in the browser, enabling the execution of arbitrary JavaScript. This vulnerability creates a Stored Cross-Site Scripting (XSS) risk, potentially exploitable by authenticated users.

Impact

Exploitation of this vulnerability could lead to Stored Cross-Site Scripting, where uploaded files containing malicious scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the ICS-Park system and navigate to the file upload feature. Upload a file with a .html or .xml extension, ensuring it contains a script payload, such as a JavaScript alert. Once uploaded, the file will be accessible through the application, and the script will execute in the browser.

Remediation

Implement strict file extension whitelisting to only allow safe file types, rejecting those that could pose a risk, such as .html or .xml.