File Browser Stored Cross-Site Scripting Vulnerability in Markdown Preview

A stored cross-site scripting vulnerability has been identified in the Markdown preview function of File Browser versions through 2.33.6. This issue allows JavaScript code included in a Markdown file uploaded by a user to be executed in the browser. The vulnerability arises because most Markdown parsers render arbitrary HTML, which can be exploited by embedding JavaScript in a crafted image tag, for example. When another user previews the file, the JavaScript executes, potentially leading to session token theft or privilege escalation, especially if the victim is an administrator.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser. This could result in stealing a user's session token or, if the victim is an administrator, escalating privileges to gain command execution rights.

Reproduction

To reproduce this vulnerability, upload a Markdown file containing JavaScript payloads embedded within HTML elements, such as an image tag with an 'onerror' event. Once the file is uploaded, access the Markdown preview feature, which will render the file and execute the embedded JavaScript in the browser.

Remediation

Users can update to File Browser version 2.33.7, which addresses this vulnerability by sanitizing Markdown previews with DOMPurify, a library that removes harmful HTML and JavaScript.