TypeBot Stored Cross-Site Scripting Vulnerability via SVG File Upload

A critical stored cross-site scripting (XSS) vulnerability has been identified in TypeBot versions through 3.15.2. The issue arises in the profile picture upload form, where the application fails to properly sanitize or restrict SVG/XML-based uploads. This allows an attacker to upload a malicious SVG file containing embedded JavaScript, which is then executed when the file is accessed through the domain. The vulnerability is particularly concerning because the malicious payload is persistently stored on the user's infrastructure (app.typebot.io) and can be accessed via a public, permanent link. Exploitation of this vulnerability enables the execution of arbitrary JavaScript in the browsers of users who access the uploaded file, potentially leading to session theft, account takeover, and exfiltration of sensitive user data.

Impact

Successful exploitation allows for account takeover by stealing session cookies and authentication tokens, hijacking user or admin accounts, executing arbitrary JavaScript in victim browsers, exfiltrating sensitive user information such as emails and phone numbers, and interacting with internal APIs on behalf of the victim. The vulnerability also poses a persistent threat, as the malicious SVGs remain hosted on the user's infrastructure and can be accessed by anyone, including enterprise clients using the GaioTech platform.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing JavaScript payloads to the profile picture upload form on app.typebot.io. Once uploaded, the SVG is rendered with the embedded script executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to TypeBot version 3.16.0, which addresses the stored XSS vulnerability by disallowing script execution in SVG files.