Oitcode Samarium Cross-Site Scripting Vulnerability in Team Image Handler

A cross-site scripting (XSS) vulnerability has been identified in Oitcode Samarium Business Management System, all versions through 0.9.6. The issue resides in the Team Image Handler component, specifically within the '/dashboard/team' file. This vulnerability allows for the upload of malicious SVG files that execute arbitrary JavaScript when accessed, potentially leading to session hijacking or other exploits.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute embedded scripts when accessed. This could lead to session hijacking, as attackers can steal session cookies or other sensitive information. The vulnerability can be exploited remotely, without authentication, and requires user interaction.

Reproduction

To reproduce this vulnerability, navigate to the '/dashboard/team' section of the application. Use the image upload feature to upload a crafted SVG file containing JavaScript. Once the file is uploaded, access it directly, which will trigger the execution of the embedded script in the context of the user's session.

Remediation

It is recommended to restrict or block SVG uploads, implement server-side sanitization of SVG files using secure libraries like DOMPurify, and enforce strict MIME type and content validation for uploaded files. Additionally, serving uploaded files from a separate domain or with a Content-Type of 'application/octet-stream' can prevent in-browser execution.