Total.js CMS Cross-Site Scripting Vulnerability in Files Menu Component

A cross-site scripting (XSS) vulnerability has been identified in Total.js CMS versions prior to 19.9.0. The issue resides in the Files Menu component, where an authenticated attacker with administrative privileges can upload malicious files by manipulating the Content-Type to text/html and using arbitrary file extensions, such as .html. This allows the injection of JavaScript code, which is executed in the context of the victim's browser when the file is accessed. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the context of the user’s browser, potentially leading to phishing attacks or other malicious actions aligned with the attacker’s objectives.

Reproduction

To reproduce this vulnerability, an authenticated user with administrative rights can upload a file through the 'Files' menu. The file must be saved with an .html extension and the Content-Type must be set to text/html. Once the file is uploaded, it can be accessed via a direct link, which will trigger the execution of the embedded JavaScript in the browser.