Budibase Stored Cross-Site Scripting Vulnerability in File Upload Endpoint

A stored cross-site scripting vulnerability has been identified in Budibase, an open-source low-code platform, prior to version 3.38.2. The issue arises in the file upload endpoint POST /api/attachments/process, which fails to properly restrict active content for authenticated users. The vulnerability allows authenticated builders to upload executable web files, such as SVGs with inline script tags, HTML files with JavaScript, and JavaScript modules. These files are stored in the object store (MinIO/S3) with their correct MIME types. When the signed URL for the uploaded file is accessed by any application user, the browser executes the embedded payload, leading to persistent stored cross-site scripting across all application end users.

Impact

Exploitation of this vulnerability allows for persistent stored cross-site scripting, where the injected script is executed in the context of the user accessing the application. This could lead to session cookie theft and full account takeover.

Reproduction

To reproduce this vulnerability, authenticate as a user with the Builder role in a self-hosted Budibase deployment prior to version 3.38.2. After logging in, upload a file through the POST /api/attachments/process endpoint. Include an SVG file with a script payload, such as JavaScript code that triggers an alert. Once the file is uploaded, the application will provide a signed URL to access it. When this URL is opened by any app user, the browser will execute the script payload, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Budibase version 3.38.2 or later, where this vulnerability has been fixed.