FACTION Stored Cross-Site Scripting Vulnerability in Attachment Preview

A stored cross-site scripting vulnerability has been identified in FACTION, a PenTesting report generation and collaboration framework, prior to version 1.8.3. The issue arises in the assessment file preview process, where user-supplied attachment filenames are saved and later displayed in HTML and attribute contexts without proper output encoding. This oversight allows the execution of attacker-controlled JavaScript in the browsers of users who view the affected page. The vulnerability is persistent, as the injected script is stored on the server and can impact users with privileged accounts.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the assessment. This can lead to unauthorized actions being performed on behalf of the victim user, particularly if the user has administrative privileges. Such actions could include managing users and roles, handling API keys, and modifying platform configurations and workflows. If an administrator's session is compromised, it could result in a complete takeover of the platform.

Reproduction

To reproduce this vulnerability, upload a file with a malicious filename containing JavaScript payloads, such as an image file that exploits an 'onerror' event. Once the file is uploaded, the injected script will execute when the assessment page is viewed.

Remediation

Users can update to FACTION version 1.8.3, where this vulnerability has been fixed.