CodiMD Content Security Policy Bypass Vulnerability Allowing Cross-Site Scripting

A vulnerability exists in CodiMD versions through 2.5.4, where the Content Security Policy (CSP) intended to protect against Cross-Site Scripting (XSS) in uploaded SVG files can be bypassed. This issue arises in scenarios involving different-origin file storage, such as AWS S3. While it may be considered user error to host untrusted JavaScript on AWS without proper CSP headers, the vulnerability highlights a flaw in CodiMD's handling of file uploads and CSP enforcement.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where uploaded SVG files containing malicious JavaScript are executed when the file is accessed.

Reproduction

The vulnerability can be reproduced by uploading an SVG file with embedded JavaScript to a CodiMD instance that stores files on a different origin, such as AWS S3. After uploading the file, accessing it through the application will trigger the XSS payload. This can be done by logging into the application, creating a new note, and using the image upload feature to send the malicious SVG file.