Algernon Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Algernon version 1.17.4. This issue allows attackers to execute arbitrary code by injecting a crafted payload into a filename. The vulnerability arises because filenames are inserted directly into HTML without proper escaping in directory listings. An attacker could exploit this by uploading files with malicious names that trigger the XSS payload when the directory is accessed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where the injected script is executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, upload a file with a name containing an XSS payload, such as an image file (like a .svg or .txt) with an embedded script (for example, an image tag with an 'onerror' event). Once the file is uploaded, access the directory listing where the file was uploaded. The XSS payload will be executed, demonstrating the vulnerability.

Remediation

This vulnerability has been patched in Algernon version 1.17.5. Users are advised to update to this version.