Frappe LMS Cross-Site Scripting Vulnerability in File Upload Feature

A stored cross-site scripting vulnerability has been identified in Frappe LMS versions 2.34.x and 2.35.0. This issue arises from the application's inadequate handling of uploaded HTML and SVG files, particularly in the file upload feature for assignments. Although the user interface displays error messages for unsupported file types, malicious files can still be uploaded and later executed in the browsers of users or administrators who access them. This vulnerability allows attackers to steal session data, impersonate users, and escalate privileges.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious files execute JavaScript in the context of the user viewing the file. This can lead to session hijacking, impersonation of users, and unauthorized privilege escalation. The vulnerability also allows for the exfiltration of sensitive information, such as user emails and administrative status.

Reproduction

To reproduce this vulnerability, log in as an administrator and create a student account. Then, create an assignment and a course, attaching the assignment. Log in as the student user and navigate to the course assignment page. In the editor, switch the file type filter to 'All Files' and upload a crafted HTML payload. After saving the file, the malicious payload can be triggered by opening the uploaded file in a new tab, which will execute the JavaScript payload and exfiltrate sensitive data to the attacker's server.

Remediation

Users are advised to upgrade to Frappe LMS version 2.34.0 or later, where this vulnerability has been addressed. Additionally, it is recommended to implement strict server-side validation of uploaded file types, reject non-image files at the backend, sanitize or disallow SVG and HTML uploads, and apply Content Security Policy headers to mitigate the impact of cross-site scripting.