Postiz Unrestricted File Upload Vulnerability Leading to Stored Cross-Site Scripting

A vulnerability in Postiz, an AI social media scheduling tool, prior to version 2.21.6, allows authenticated users to bypass file upload validation and upload arbitrary HTML, SVG, or other executable file types. This is achieved by spoofing the 'Content-Type' header. The uploaded files are served by nginx with a Content-Type based on their original extension, enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This vulnerability can lead to session riding, account takeover, and full compromise of other users' accounts.

Impact

Exploitation of this vulnerability allows for Stored Cross-Site Scripting, where uploaded files execute JavaScript in the context of the application, with access to the user's authenticated session. This can be used to exfiltrate sensitive information, such as profile details, API keys, and social media integration tokens, and to perform actions on behalf of the user, including modifying posts and managing organization settings. The vulnerability also allows for the persistent compromise of other users by uploading malicious files that execute when the user interacts with them.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file such as a SVG or HTML file, while spoofing the 'Content-Type' header to bypass the application's file validation. Once the file is uploaded, it can be accessed through the application's upload URL, where the embedded JavaScript will execute in the context of the user's session.

Remediation

Users are advised to upgrade to Postiz version 2.21.6 or later, where this vulnerability has been fixed.