Perx Customer Engagement and Loyalty Platform Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the LMT Dashboard of the Perx Customer Engagement & Loyalty Platform, affecting versions prior to 4.617.4. This vulnerability allows authenticated attackers to execute arbitrary JavaScript in the browsers of users viewing the affected content. The issue arises from inadequate sanitization of SVG file uploads, enabling attackers to inject malicious scripts that could be executed when the image is viewed on the public LMT microsite. Such exploitation could lead to session hijacking, data theft, or other unauthorized actions.

Impact

Exploitation of this vulnerability allows for session hijacking, with attackers able to impersonate victims, access sensitive information, or perform unauthorized actions on their behalf. This could include modifying content or redirecting users to malicious sites. The vulnerability is particularly dangerous when combined with phishing or targeted social engineering, potentially leading to a full session compromise.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a malicious SVG file containing JavaScript into the LMT Dashboard's campaign image upload feature. Once the SVG is uploaded and the campaign is published, the JavaScript will execute in the browser of anyone who views the image on the public LMT microsite. This vulnerability can also be reproduced by bypassing the client-side upload sanitization with a direct PUT request that includes the malicious SVG payload, after the initial patch was applied.

Remediation

Users are advised to upgrade to version 4.6.74 or later, where this vulnerability has been successfully mitigated. Additionally, implementing a strict Content Security Policy (CSP) and using HttpOnly cookies can provide extra layers of protection against similar vulnerabilities.