LinkAce Stored Cross-Site Scripting Vulnerability in Atom Feed

A stored cross-site scripting vulnerability has been identified in LinkAce versions through 2.4.2. This issue arises in the Atom feed endpoint for lists, where an authenticated user can inject a payload that breaks out of the XML CDATA section. The injected payload, which includes a native SVG element, is processed by the browser's XML parser, executing arbitrary JavaScript when the feed URL is accessed. This vulnerability exists because the feed template uses Blade's raw output syntax without proper sanitization, allowing for the injection of malicious content that is executed when the feed is parsed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the feed.

Reproduction

To reproduce this vulnerability, log in to LinkAce as an authenticated user. Create or edit a list, ensuring the visibility is set to 'Internal' or 'Public'. In the description field, insert a payload that escapes the CDATA section by injecting the sequence ']]>' followed by a SVG element, such as one using the 'onload' attribute. Save the list, then navigate to '/lists/feed' in a browser. The injected SVG will be executed, demonstrating the cross-site scripting vulnerability. For comparison, injecting the same payload into a link description will not trigger the script execution, as the links feed sanitizes the content by stripping HTML tags.

Remediation

Users are advised to update to LinkAce version 2.4.3, where this vulnerability has been fixed.