DataEase Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in DataEase versions through 2.10.13. This issue arises from inadequate validation of file uploads and an authentication bypass. The vulnerability is present in the StaticResourceApi interface, which allows users to control both the filename and extension of uploaded files. During permission validation, the TokenFilter uses the WhitelistUtils#match method to check if the URL path is in the allowlist. If the requestURI ends with .js or similar extensions, it is automatically considered safe, bypassing permission checks. This exploitation allows an attacker to upload HTML files containing malicious JavaScript.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded HTML files can execute malicious JavaScript in the context of the user.

Reproduction

To reproduce this vulnerability, upload a file through the 'upload/{fileId}' route of the StaticResourceApi interface, specifying a .js or similar extension. The TokenFilter will bypass permission checks, allowing the upload of an HTML file that contains malicious JavaScript. Once uploaded, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to DataEase version 2.10.14, where this vulnerability has been fixed.