CUBA and Jmix Frameworks REST API Add-Ons Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the CUBA REST API add-on versions 7.1.1 prior to 7.2.7, as well as in the Jmix REST API component versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4. This vulnerability allows for the execution of malicious JavaScript in the browser by manipulating the 'FileRef' parameter to return a 'Content-Type' header of 'text/html', particularly if the file name ends with '.html'. For exploitation, a harmful file must be uploaded to the file storage beforehand. The issue has been addressed in CUBA REST API add-on version 7.2.7 and in Jmix versions 1.6.2 and 2.4.0.

Impact

Exploitation of this vulnerability could lead to cross-site scripting, allowing for the execution of malicious JavaScript in the victim's browser.

Remediation

Users can upgrade to CUBA REST API add-on version 7.2.7 or Jmix versions 1.6.2 and 2.4.0. For those unable to upgrade, the '/files' REST endpoint can be disabled to mitigate the vulnerability.