Saleor Unrestricted File Upload Vulnerability Allowing Stored Cross-Site Scripting

A stored cross-site scripting vulnerability has been identified in Saleor, an e-commerce platform. This issue affects versions 3.0.0 prior to 3.20.108, 3.21.43, and 3.22.27. The vulnerability arises from unrestricted file uploads that allow authenticated staff users or apps to upload arbitrary files, including malicious HTML and SVG files with embedded JavaScript. Depending on the deployment strategy, these files could be served from the same domain as the dashboard, without restrictions, leading to the execution of harmful scripts in the user's browser context. This vulnerability could allow malicious staff to inject scripts that target other staff members, potentially stealing their access and refresh tokens.

Impact

Exploitation of this vulnerability could result in stored cross-site scripting, allowing injected scripts to be executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a file with a .svg or .html extension, including JavaScript payloads, through the Saleor dashboard while using an affected version. Ensure that the media files are hosted on the same domain as the dashboard and that the 'Content-Disposition' header is not set to 'attachment'. After uploading, the injected script will execute when the file is accessed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Saleor versions 3.22.27, 3.21.43, or 3.20.108, where this vulnerability has been patched. For those unable to upgrade, it is recommended to configure the server hosting media files to return the 'Content-Disposition: attachment' header, preventing browsers from rendering the files. Additionally, servers should be set to block HTML and SVG files. Saleor users can run the command './manage.py remove_invalid_files' to scan for and remove any files that may have been uploaded during the vulnerability window.