Agora Foundation Agora fall23-Alpha1 Cross-Site Scripting Vulnerability via Profile Picture Upload
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Agora Foundation's Agora fall23-Alpha1 version prior to the commit 690ce56. The issue arises in the userController.js file, where user-uploaded profile pictures are processed. The server's userRoutes.js file allows image formats other than the intended PNG, JPEG, and WEBP, such as SVG, to be uploaded. This improper handling of image files creates an opportunity for XSS attacks.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, upload a profile picture in a format other than the allowed PNG, JPEG, or WEBP, such as SVG. The uploaded file will be processed by the userController.js, where the XSS vulnerability can be exploited.
Remediation
Users should update to Agora Foundation Agora fall23-Alpha1 version 690ce56 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.