File Browser Stored Cross-Site Scripting Vulnerability in EPUB Preview Function

A stored cross-site scripting vulnerability has been identified in the File Browser application, specifically in versions through 2.62.1. The issue arises in the EPUB preview feature, where JavaScript embedded in a malicious EPUB file is executed in the user's browser during file preview. This vulnerability is rooted in the 'Preview.vue' file, which improperly allows scripted content to be executed within a sandboxed iframe, enabling access to the parent frame's DOM and local storage.

Impact

Exploitation of this vulnerability allows for session hijacking by stealing JSON Web Tokens (JWT) from the local storage of the victim's browser. This could lead to unauthorized access to the victim's account. Additionally, the vulnerability could be used to escalate privileges by allowing a low-privilege user with upload rights to steal an admin's token.

Reproduction

To reproduce this vulnerability, upload a crafted EPUB file containing JavaScript into a File Browser instance running a vulnerable version. After uploading, preview the EPUB file. The embedded script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to File Browser version 2.62.2 or later to address this vulnerability.