QuickDrop Stored Cross-Site Scripting Vulnerability in SVG File Preview
Vulnerability
A stored cross-site scripting vulnerability has been identified in QuickDrop versions prior to 1.5.3. The issue arises in the file preview endpoint, where the application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files containing JavaScript payloads are executed when the file is previewed.
Reproduction
To reproduce this vulnerability, upload a malicious SVG file through the /api/file/upload-chunk endpoint. This file should include a script tag with a JavaScript payload, such as an alert script. After uploading, navigate to the file preview page to trigger the execution of the embedded script.
Remediation
Users can update to QuickDrop version 1.5.3, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.