Homarr Stored Cross-Site Scripting Vulnerability Allowing Privilege Escalation

A stored cross-site scripting (XSS) vulnerability has been identified in Homarr versions prior to 1.43.3. This vulnerability allows the execution of arbitrary JavaScript in a user's browser with minimal or no user interaction, due to the rendering of a maliciously uploaded SVG file. If a user logged in as an administrator views the page that renders or redirects to the SVG, the attacker could gain full administrative access by having their account added to the 'credentials-admin' group. The vulnerability arises from inadequate sanitization of uploaded SVG files, which could be exploited to execute JavaScript and manipulate user permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of JavaScript in users' browsers, with the potential for phishing, malware distribution, or unauthorized administrative access on the Homarr platform.

Remediation

Users can update to Homarr version 1.43.3 or later, where this vulnerability has been patched. After the update, uploaded SVG files are sanitized to remove harmful inline event handlers and JavaScript before being served to users. Additionally, default sandbox attributes have been added to iFrame components to restrict the loading of potentially malicious content.