Gstarsoft GstarCAD Cross-Site Scripting Vulnerability in File Renaming Handler
Vulnerability
A stored cross-site scripting vulnerability has been identified in Gstarsoft GstarCAD versions prior to 9.4.0. This issue arises in the file renaming feature, where an attacker can inject malicious JavaScript into the file name. The injected script executes in the context of the user's browser when the file list is viewed or when the renamed file is opened. Additionally, if the file is shared via link, others accessing it will also trigger the execution of the injected script. This vulnerability could lead to theft of sensitive information such as cookies and session tokens, unauthorized actions on behalf of users, persistent account compromises, and secondary exploitation through shared links.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user’s browser. This could result in theft of cookies and session tokens, unauthorized actions on behalf of the user, and a persistent compromise of user accounts, as the injected payload is stored on the server. Furthermore, if a maliciously renamed file is shared, the impact extends to other users who open the file.
Remediation
Users are advised to update to Gstarsoft GstarCAD version 9.4.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.