JhumanJ OpnForm Unrestricted File Upload Vulnerability
Vulnerability
A critical vulnerability allowing unrestricted file uploads has been identified in JhumanJ OpnForm versions through 1.9.3. This issue resides in an unknown functionality of the file '/answer', where improper handling of file uploads allows attackers to upload HTML and SVG files containing malicious JavaScript. The vulnerability can be exploited remotely, and the uploaded files execute the embedded scripts when opened in a browser.
Impact
Exploitation of this vulnerability allows for unrestricted file uploads, which can be used to execute malicious JavaScript in the context of the user opening the file.
Reproduction
The vulnerability can be reproduced by uploading a file through the application's file upload feature. After uploading a file, it can be accessed via a signed URL, which will trigger the execution of any embedded JavaScript when the file is opened in a browser.
Remediation
Users are advised to update to JhumanJ OpnForm version 1.9.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.