HomeBox Stored Cross-Site Scripting Vulnerability in Attachment Upload
Vulnerability
A stored cross-site scripting vulnerability has been identified in HomeBox versions prior to 0.24.0-rc.1. The issue arises in the item attachment upload feature, where the application fails to adequately validate or restrict uploaded file types. This flaw allows authenticated users to upload malicious HTML or SVG files containing executable JavaScript, and potentially other script-rendering formats. Uploaded attachments can be accessed via direct links, and when such a file is opened in a browser, the embedded JavaScript executes within the application's origin context.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded attachments containing malicious scripts are executed in the context of the application's origin when accessed. This could lead to client-side manipulation or unauthorized actions being performed on behalf of the user, depending on the application's existing security measures.
Remediation
Users can update to HomeBox version 0.24.0-rc.1 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.