Sync-in Server Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Sync-in Server versions prior to 1.9.3. This vulnerability allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser. By uploading a specially crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information such as session cookies and CSRF tokens.

Impact

Exploitation of this vulnerability allows for the execution of malicious JavaScript in the victim's browser, potentially leading to the theft of session cookies, CSRF tokens, and other sensitive information.

Reproduction

To reproduce this vulnerability, authenticate to the Sync-in Server instance and upload an SVG file containing a JavaScript payload, such as a script tag including JavaScript commands like 'alert(document.domain)' or 'alert(document.cookie)'. After uploading, share the raw file URL with a victim. When the victim opens the URL, the JavaScript executes in their browser.

Remediation

Users are advised to upgrade to Sync-in Server version 1.9.3 or later.