FACTION Stored Cross-Site Scripting Vulnerability in Attachment Filename Preview

A stored cross-site scripting vulnerability has been identified in FACTION, a PenTesting report generation and collaboration framework, prior to version 1.8.3. The issue arises in the remediation verification file preview process, where user-supplied attachment filenames are saved and later displayed in HTML and attribute contexts without proper output encoding. This oversight allows for the execution of attacker-controlled JavaScript in the browsers of users who access the affected verification or remediation views. Since the injected script is stored on the server and presented to other users, the exploitation is persistent and poses a risk to accounts with elevated privileges.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the affected verification or remediation file preview. This can lead to unauthorized actions being performed as the victim user, particularly if an administrator or manager is targeted, potentially allowing for a complete administrative takeover.

Reproduction

To reproduce this vulnerability, upload a file with a crafted filename containing JavaScript payloads, such as an image tag with an 'onerror' event. Once the file is uploaded, the injected script will execute when the attachment preview is accessed.

Remediation

Users can update to FACTION version 1.8.3, where this vulnerability has been fixed.