Termix Stored Cross-Site Scripting Vulnerability in File Manager Component

A stored cross-site scripting vulnerability has been identified in the Termix web-based server management platform, specifically in versions 1.7.0 through 1.9.0. The issue arises in the File Manager component, where the application fails to properly sanitize SVG file content before displaying it. This lack of sanitization allows an attacker, who has compromised a managed SSH server, to upload a malicious SVG file. When this file is previewed by a Termix user, it executes arbitrary JavaScript within the application context. The vulnerability is present in the FileViewer component of the File Manager.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the file. In the Electron desktop version of Termix, this vulnerability allows for arbitrary local file inclusion, enabling attackers to read sensitive files from the user's machine. In a web browser, the same vulnerability could be used to steal JWT tokens from local storage, hijacking the user's session.

Reproduction

To reproduce this vulnerability, an attacker must first compromise a server managed by the victim through Termix. Once access is gained, the attacker can create a malicious SVG file and inject a JavaScript payload into it. After uploading the file to the compromised server, the victim must open Termix, navigate to the file using the File Manager, and preview it. This action triggers the execution of the injected JavaScript payload.

Remediation

Users can update to Termix version 1.10.0, where this vulnerability has been fixed.