SimStudioAI Unrestricted File Upload Vulnerability in HTML File Parser Component

A vulnerability exists in the file upload feature of SimStudioAI's 'sim' application, specifically in versions through 'ed9b9ad83f1a7c61f4392787fb51837d34eeb0af'. The issue is located in the 'Import' function of 'apps/sim/app/api/files/upload/route.ts', within the HTML File Parser component. This vulnerability allows for unrestricted uploading of files, particularly HTML files, which can contain malicious scripts. The issue can be exploited remotely and has been made public. The vulnerability arises because the file upload functionality does not properly validate or sanitize uploaded files, especially those containing HTML or script elements.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, including HTML files that can carry cross-site scripting (XSS) payloads. This leads to a stored XSS vulnerability, where the uploaded malicious file is processed and executed by the application, potentially harming users or the application itself.

Reproduction

To reproduce this vulnerability, upload a file through the '/api/files/upload' endpoint using a POST request. Include a file named 'test.html' with a script tag containing JavaScript code, such as an alert. The response should indicate a successful upload, and the uploaded file can be accessed through the application's file serving endpoint.

Remediation

A patch has been applied in the commit '45372aece5e05e04b417442417416a52e90ba174', which is available for download.