ProjeQtor Stored Cross-Site Scripting Vulnerability in File Upload Functionality

A stored cross-site scripting vulnerability has been identified in ProjeQtor versions 7.0 prior to 12.4.4. The issue arises in the file upload feature, where the 'checkValidFileName()' function inadequately restricts the upload of HTML and HTM files. This flaw allows authenticated attackers to upload HTML files containing arbitrary JavaScript through the image upload or attachment endpoints. When users access the URL of the uploaded file, the embedded JavaScript is executed in their browsers.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded HTML files are served as trusted content, enabling the execution of embedded JavaScript in the browsers of users who access the file.

Remediation

To address this vulnerability, it is recommended to implement strict validation on uploaded files, blocking active extensions such as .html, .htm, and .js when not needed. Additionally, validating MIME types server-side, storing uploaded files outside the web root, and applying a strict Content Security Policy can enhance security. ProjeQtor users should also consider updating to version 12.4.4 or later, where this vulnerability has been fixed.