RomM Unrestricted File Upload Vulnerability Leading to Cross-Site Scripting and Admin Account Takeover
Vulnerability
A vulnerability in RomM (ROM Manager) versions prior to 4.4.1 and 4.4.1-beta.1 allows authenticated users to upload malicious SVG or HTML files. This unrestricted file upload can be exploited to execute embedded JavaScript in the browser, resulting in stored Cross-Site Scripting (XSS). When combined with a Cross-Site Request Forgery (CSRF) misconfiguration, this vulnerability enables full administrative account takeover, including the creation of a rogue admin account and escalation of user roles to admin.
Impact
Exploitation of this vulnerability, by chaining the XSS and CSRF misconfiguration, allows an authenticated low-privileged user to take over an admin account, create a rogue admin account, escalate privileges from viewer or editor to admin, and delete or disable accounts, leading to a full compromise of the application.
Reproduction
To reproduce this vulnerability, an authenticated user can upload a malicious SVG or HTML file to a vulnerable RomM application. Once the file is uploaded, it can be accessed in a way that triggers the execution of embedded JavaScript, creating a stored XSS vulnerability. This XSS can then be exploited to perform actions on behalf of the user, such as changing the password of an admin account, bypassing the requirement for an old password, and potentially leading to a full application compromise.
Remediation
Users can update to RomM version 4.4.1 or 4.4.1-beta.2, both of which address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.