LearnHouse Unrestricted File Upload Vulnerability in Course Thumbnail Handler

A vulnerability allowing unrestricted file uploads has been identified in LearnHouse versions prior to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca. The issue arises in the Course Thumbnail Handler within the file /api/v1/courses/. The vulnerability allows attackers to upload files by manipulating the thumbnail argument, bypassing client-side file type validations. This flaw can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting (XSS) via uploaded SVG files, which can execute JavaScript when viewed. Additionally, it allows for the upload of server-side scripts, such as Python or PHP files, which could be executed if an appropriate execution vector exists, potentially leading to remote code execution (RCE).

Reproduction

To reproduce this vulnerability, upload a legitimate image file through the course thumbnail upload endpoint. Intercept the upload request and replace the image with an SVG file containing JavaScript, or a server-side script such as a Python or PHP file. After uploading, the SVG will execute JavaScript when accessed, demonstrating the stored XSS vulnerability. If a script file is uploaded, it can be executed on the server, showing the RCE risk.