eLabFTW Stored Cross-Site Scripting Vulnerability via Malicious SVG Upload

A stored cross-site scripting vulnerability has been identified in eLabFTW, an open-source electronic lab notebook, in versions through 5.2.8. The issue arises because the application served uploaded SVG files inline, and SVG files can contain active content. An attacker could upload a crafted SVG that executes scripts when viewed, leading to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim. This vulnerability requires a valid user account to exploit.

Impact

Exploitation of this vulnerability could lead to account takeover by stealing the session token, allowing the attacker to access the victim's account. Additionally, it could result in unauthorized data exposure and modification within the victim's privileges, and enable actions similar to cross-site request forgery by exploiting the victim's authenticated context.

Remediation

Users can update to eLabFTW version 5.3.0 or later to address this vulnerability. If an immediate update is not possible, the vulnerable line in the DownloadController.php file can be removed, and a new container can be built without that line.