DbGate Stored Cross-Site Scripting Vulnerability with Remote Code Execution Potential in Electron

A stored cross-site scripting vulnerability has been identified in DbGate, a cross-platform database manager, affecting versions 7.0.0 prior to 7.1.5. The vulnerability arises because attacker-controlled SVG icon strings are rendered as raw HTML without proper sanitization. This flaw allows script execution in the web application's context and, in the Electron desktop version, can escalate to local code execution due to the application's insecure configuration that enables Node.js integration and disables context isolation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts execute in the context of the affected user. In the Electron desktop application, this XSS can be leveraged to execute local code, taking advantage of Electron's configuration that permits access to Node.js and Electron APIs.

Reproduction

To reproduce this vulnerability, create an application definition containing a malicious SVG icon payload, including JavaScript execution instructions. Once saved, the payload will execute when the application is loaded, demonstrating the cross-site scripting vulnerability. In the Electron app, this can be escalated to local code execution by crafting the payload to interact with the file system, such as writing a file to the local machine.

Remediation

Users can update to DbGate version 7.1.5 or later, where this vulnerability has been patched.