django-mdeditor Missing Authentication Vulnerability in Image Upload Endpoint Allowing Arbitrary Code Execution

A vulnerability exists in all versions of the django-mdeditor package, related to missing authentication for critical functions in the image upload endpoint. This flaw allows attackers to upload malicious files, potentially leading to arbitrary code execution. The vulnerability arises because the endpoint lacks proper authentication and fails to adequately sanitize file names.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, with uploaded files potentially containing malicious code that could be executed, according to Snyk.

Reproduction

The vulnerability can be reproduced by uploading an image file through the editor's image upload feature without any authentication. The uploaded file can be named with a script tag, such as a JavaScript alert, to demonstrate the cross-site scripting (XSS) vulnerability.

Remediation

A fix has been implemented and merged into the master branch, but it has not yet been published. Users should monitor the django-mdeditor repository for the release of the updated version.