Twenty CRM Stored Cross-Site Scripting Vulnerability via Unsanitized File Upload

A stored cross-site scripting vulnerability has been identified in Twenty CRM versions through 1.18.0. The issue arises from file serving endpoints that handle uploaded files without proper sanitization or response headers. This flaw allows an authenticated attacker to upload an HTML file containing JavaScript, which is then executed in the context of the Twenty CRM domain. The vulnerability can lead to session hijacking, account takeover, and data theft.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting on the main application domain, with uploaded HTML files executed as JavaScript. This access includes the ability to steal session tokens, particularly from admin users, facilitating unauthorized access and actions within the application.

Reproduction

To reproduce this vulnerability, log into Twenty CRM as a user with Member privileges. Upload an HTML file containing a JavaScript payload through the 'uploadWorkflowFile' mutation, which is part of the GraphQL API. Once the file is uploaded, access it via the file serving endpoint. The response will lack essential security headers, allowing the JavaScript to execute in the browser. This can be automated with a provided script.

Remediation

Users are advised to update to a version of Twenty CRM that addresses this vulnerability. The recommended fix includes setting appropriate response headers, extending file type sanitization, and implementing file type allowlisting for uploads.