Parse Server Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored cross-site scripting vulnerability has been identified in Parse Server versions 9.0.0 prior to 9.5.2-alpha.4 and versions prior to 8.6.17. This vulnerability allows authenticated users to upload SVG files containing JavaScript. The uploaded files are served inline with a Content-Type of image/svg+xml and without protective headers, enabling the execution of embedded scripts in the Parse Server origin. This exploitation can lead to the theft of session tokens from localStorage, resulting in account takeover. The default fileExtensions option in Parse Server blocks HTML file extensions but fails to restrict SVG uploads, which are a known vector for XSS attacks. All deployments of Parse Server with file upload enabled for authenticated users are vulnerable.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute embedded scripts in the victim's browser, potentially leading to session token theft and account takeover.

Remediation

Users can upgrade to Parse Server versions 9.5.2-alpha.4 or 8.6.17 to address this vulnerability. Alternatively, for those using earlier versions, SVG uploads can be blocked by configuring the fileExtensions option to deny SVG files.