Morelitea Initiative Stored Cross-Site Scripting Vulnerability in Document Upload

A stored cross-site scripting vulnerability has been identified in the Morelitea Initiative project management platform, affecting versions prior to 0.32.4. The issue arises in the document upload feature within the 'Initiatives' section, where users with upload permissions can introduce malicious HTML files. These files are served from the application's domain without adequate sandboxing, allowing embedded JavaScript to execute in the application's context. This exploitation can lead to the theft of authentication tokens, session cookies, and other sensitive information, which could be sent to an attacker-controlled server. Furthermore, simply sharing the link to the uploaded file can trigger the execution of the malicious script when accessed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded HTML files execute embedded JavaScript in the context of the application. This could result in the theft of session tokens and cookies, leading to session hijacking or unauthorized actions on behalf of the victim. Additionally, JWT access tokens exfiltrated through this vulnerability remain valid until expiration, allowing persistent session hijacking even after the victim logs out.

Reproduction

To reproduce this vulnerability, upload a malicious HTML file containing JavaScript into the 'Initiatives' section of the Morelitea Initiative platform. Ensure the file is shared with others. When the file is accessed, the JavaScript will execute, exfiltrating data such as cookies and session information to an attacker-controlled server.

Remediation

Users can update to Morelitea Initiative version 0.32.4, which addresses this vulnerability by implementing proper content security policies and invalidating JWT tokens on logout.