Laravel File Manager Authenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Laravel File Manager versions through 3.3.1. This issue allows authenticated users with access to the file manager interface to upload or create files, such as those with .html or .svg extensions, containing malicious JavaScript. The application fails to properly validate the content type or sanitize the output of these files before serving them inline. As a result, the injected scripts can execute in the context of the application's domain when the files are accessed by other users, including administrators.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected JavaScript is executed persistently within the application's origin. This can result in session hijacking, allowing attackers to steal cookies or perform actions on behalf of the victim. Additionally, the vulnerability could be exploited to spoof user interface elements or redirect users to malicious websites, as well as to access sensitive data within the application that is available to the victim's session.

Reproduction

To reproduce this vulnerability, authenticate with an account that has permission to upload, create, or rename files in Laravel File Manager. Once authenticated, upload a file with a .svg or .html extension that contains a malicious JavaScript payload. The application will store the file without sanitizing the embedded script. When another user, such as an administrator, views the file through the web interface, the JavaScript executes in the context of the application's domain. Alternatively, the vulnerability can be exploited by creating a text file, pasting a JavaScript payload, and renaming the file to have a .svg or .html extension, which will also trigger the execution of the injected script.

Remediation

Users are advised to update to Laravel File Manager version 3.3.2 or later, where this vulnerability has been addressed.