Uploady Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Uploady, a file uploader script, in versions prior to 3.1.2. The issue arises from inadequate sanitization of filenames during the file upload process, allowing an attacker to upload a file with a malicious filename containing JavaScript code. This script is executed in the browser of any user who views the file list or details page where the filename is displayed. The vulnerability could be exploited by uploading a file with a name that includes a script payload, which would then run when the file is accessed through the application interface.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page. During testing, it was possible to execute JavaScript payloads that accessed session cookies, potentially leading to session hijacking or impersonation of other users.

Reproduction

To reproduce this vulnerability, upload a file (such as a PNG) with a filename that includes a JavaScript payload, such as an image tag with an event handler, like an 'onerror' attribute. After uploading, view the file list or the file details page to trigger the execution of the JavaScript payload in the browser.

Remediation

Users can upgrade to Uploady version 3.1.2 or later, where this vulnerability has been fixed.