Stirling-PDF Stored Cross-Site Scripting Vulnerability via EML-to-HTML Export

A stored cross-site scripting vulnerability has been identified in Stirling-PDF version 2.7.3. The issue arises in the '/api/v1/convert/eml/pdf' endpoint when the 'downloadHtml' parameter is set to true. In this scenario, the application returns unsanitized HTML from the email body, specifically when the Content-Type is 'text/html'. This flaw allows an attacker to execute JavaScript by sending a malicious email to a Stirling-PDF user. The exploitation occurs when the user exports the email using the 'Download HTML intermediate file' feature. Version 2.8.0 addresses this vulnerability.

Impact

Exploitation of this vulnerability allows for unescaped JavaScript execution. Scripts included in the email body, such as those in '<script>' tags or event handlers, run automatically when the exported HTML file is opened in a browser. This could also be used to access internal network services not exposed to the internet, and to create convincing phishing forms that target Stirling-PDF or single sign-on credentials.

Reproduction

To reproduce this vulnerability, send a malicious email with JavaScript embedded in the body and subject to a user with an authenticated Stirling-PDF account. The email must be crafted to include unsanitized HTML, such as a script tag or an image tag with an 'onerror' event. Once the email is received, the user can upload the EML file through the Stirling-PDF application, selecting the 'Download HTML intermediate file' option. After the file is downloaded, opening it in a web browser will trigger the execution of the embedded JavaScript.

Remediation

Users can update to Stirling-PDF version 2.8.0, which addresses this vulnerability.