OpenPLC Runtime Arbitrary File Upload Vulnerability Allowing Stored Cross-Site Scripting

A vulnerability exists in OpenPLC Runtime versions 3 through 9cd8f1b that allows authenticated users to upload arbitrary files, such as .html or .svg, through the '/edit-user' route. These files are then publicly accessible under the '/static' URI without authentication. This vulnerability could lead to stored cross-site scripting (XSS) or malicious content hosting scenarios.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads with inadequate validation of MIME types and file extensions. This could result in stored cross-site scripting, where uploaded files containing malicious scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a .html or .svg file as a profile picture via the '/edit-user' endpoint. The uploaded file will be stored in the '/static/' directory and can be accessed by any user, including those who are unauthenticated. If the file contains executable scripts, such as JavaScript, these will run in the browser of the user who accesses the file.