Red Hat Quay Stored Cross-Site Scripting Vulnerability via Unvalidated SVG File Upload

A stored cross-site scripting vulnerability has been identified in Red Hat Quay. The issue arises in the filedrop endpoint, which accepts any mime type without proper validation. This flaw allows authenticated users with repository write access to upload malicious SVG files containing JavaScript. Once uploaded, these files are stored and served through the CDN. When a victim accesses the archive URL, the SVG is rendered inline, and the embedded JavaScript is executed.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected scripts are executed in the context of the user visiting the archive URL.

Reproduction

To reproduce this vulnerability, an authenticated user with repository write access can upload a malicious SVG file through the filedrop endpoint. The uploaded file should contain JavaScript payloads. After the file is uploaded, the user can create a build that references the file, obtaining an archive URL that serves the SVG through the CDN. When the archive URL is visited, the browser will execute the embedded JavaScript in the SVG file.