Stirling-PDF Reflected Cross-Site Scripting Vulnerability via Malicious Filenames

A reflected cross-site scripting vulnerability has been identified in Stirling-PDF versions prior to 2.0.0. The issue arises in file upload endpoints that directly render user-supplied filenames into HTML using unsafe methods, such as innerHTML, without proper sanitization. This allows an attacker to upload a file with a malicious filename containing JavaScript, which executes in the context of the uploading user's browser. The vulnerability is present across various upload endpoints in the application.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where the injected script runs immediately in the user's browser session. This could lead to theft of cookies, session tokens, or other sensitive data visible to the browser. The vulnerability could also be used in social engineering or phishing attacks by manipulating the victim's view or injecting arbitrary scripts into their browser.

Reproduction

To reproduce this vulnerability, upload a file with a malicious filename, such as one containing JavaScript code, through any of the application's upload endpoints. After uploading, the filename will be rendered on the page, and the embedded JavaScript will execute in the user's browser context.

Remediation

Users are advised to update to Stirling-PDF version 2.0.0 or later, where this vulnerability has been fixed.