efw4.X Stored Cross-Site Scripting Vulnerability in previewServlet

A stored cross-site scripting vulnerability has been identified in efw4.X versions prior to 4.08.010. The issue arises in the previewServlet, which serves files based on their detected MIME type from the file extension, without any content sanitization or security headers. This flaw allows embedded JavaScript in files with .html, .htm, or .svg extensions to execute in the context of the application's origin. An attacker who can upload files to the elfinder storage can exploit this by embedding malicious JavaScript in an HTML or SVG file. When the file is previewed, the script executes with full access to the application's origin, potentially leading to session hijacking, cross-site request forgery, DOM manipulation, and phishing attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded JavaScript is executed in the context of the application's origin, with access to the user's session and the ability to make authenticated requests.

Reproduction

To reproduce this vulnerability, upload a file containing a script tag, such as one with an alert command, to the elfinder storage. Then, use the preview functionality to view the file. The embedded JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to efw4.X version 4.08.010 or later, where this vulnerability has been fixed.