CUBA and Jmix Frameworks XSS Vulnerability in JPA Web API

A cross-site scripting (XSS) vulnerability has been identified in the CUBA JPA Web API add-on, specifically in versions prior to 1.1.1. This vulnerability allows for the execution of malicious JavaScript in the browser. It arises from the manipulation of file path input parameters, which can be crafted to return a Content-Type header of text/html if the file name ends with .html. For exploitation, an attacker must first upload a malicious file to the application's file storage. This issue has been addressed in version 1.1.1 of the CUBA JPA Web API add-on.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the victim's browser. In the context of CUBA applications, this could lead to unauthorized actions being performed on behalf of the user or the exposure of sensitive information.

Remediation

Users can upgrade to CUBA JPA Web API add-on version 1.1.1 or disable the '/files' endpoint in their CUBA application to mitigate this vulnerability.