Chartbrew Stored Cross-Site Scripting Vulnerability Allowing Account Takeover

A stored cross-site scripting (XSS) vulnerability has been identified in Chartbrew versions prior to 4.8.4. The issue arises from the application's file upload feature, which allows users to upload project logos without proper validation of file types or content. This lack of scrutiny enables an attacker to upload an HTML file containing malicious JavaScript. These files are saved in the uploads directory and served statically. Since authentication tokens are likely stored in localStorage and returned in the API body, this XSS vulnerability could lead to account takeover.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, under the application's domain. This could result in session hijacking through the theft of authentication cookies or tokens, account takeover, defacement of content visible to other users, keylogging, phishing via injected forms, or redirection to malicious sites.

Reproduction

To reproduce this vulnerability, upload a file disguised as a project logo through the application's file upload feature. The uploaded file should be an HTML document containing malicious JavaScript. Once the file is uploaded, access it through the static uploads directory. The JavaScript will execute in the context of the user's session, potentially leading to account takeover.

Remediation

Users are advised to update to Chartbrew version 4.8.4 or later, where this vulnerability has been patched.