Podinfo Arbitrary File Upload Vulnerability Leading to Stored Cross-Site Scripting

A vulnerability allowing arbitrary file upload has been identified in Podinfo versions through 6.9.0. This issue allows unauthenticated attackers to upload files via a crafted POST request to the /store endpoint. The application fails to implement proper Content-Type validation or a restrictive Content-Security-Policy, enabling Stored Cross-Site Scripting (XSS) attacks.

Impact

Exploitation of this vulnerability allows for Stored Cross-Site Scripting, where injected scripts are executed in the context of the user visiting the affected domain.

Reproduction

To reproduce this vulnerability, send a POST request to the /store endpoint with HTML content, including a script tag. The server will respond with a hash of the uploaded content. This hash can be used to access the uploaded file via a GET request, where the injected script will be executed in the context of the domain.

Remediation

Users are advised to disable the storage feature if not needed, implement a strict Content-Security-Policy, and enforce proper Content-Type headers for data served from the /store endpoint.