Code16 Sharp Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Code16 Sharp version 9.6.6. The issue arises in the image file upload feature, which accepts SVG files without proper sanitization. This lack of validation allows attackers to upload SVGs containing malicious scripts that could be executed in the context of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files with embedded scripts are executed when the images are viewed. This could lead to session hijacking or unauthorized actions on behalf of the user. Additionally, the vulnerability could be exploited to cause a denial-of-service by uploading SVGs that disrupt server performance.

Remediation

Users can upgrade to Code16 Sharp version 9.7.0, which includes a fix by sanitizing SVG uploads by default. Instructions for downloading this version are available on the Code16 Sharp GitHub releases page.