Linkwarden Stored Cross-Site Scripting Vulnerability in Archive Upload Endpoint
Vulnerability
A stored cross-site scripting vulnerability has been identified in Linkwarden, a self-hosted collaborative bookmark manager, in versions through 2.14.0. The issue arises in the archive upload endpoint, which accepts HTML files without properly sanitizing JavaScript content. When these archives are accessed later, the unsanitized HTML is served with a Content-Type of text/html, lacking a Content-Security-Policy header. This oversight enables the execution of arbitrary JavaScript in the context of the authenticated Linkwarden session.
Impact
Exploitation of this vulnerability allows for session hijacking, as the executed JavaScript can access the user's session tokens. Additionally, it enables data theft by allowing enumeration and reading of all links, collections, and user data accessible to the victim.
Reproduction
To reproduce this vulnerability, upload a HTML file containing JavaScript into the archive upload endpoint via a POST request. Once the file is uploaded, access the archive through a GET request to the same endpoint. The server will respond with the HTML file, executing any included JavaScript in the context of the authenticated user.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.