Givanz VvvebJs Cross-Site Scripting Vulnerability in File Upload Endpoint

A cross-site scripting (XSS) vulnerability has been identified in Givanz VvvebJs versions through 2.0.5. The issue resides in the file upload.php, specifically within the File Upload Endpoint component. The vulnerability is triggered by manipulating the uploadAllowExtensions argument, which allows for the injection of malicious SVG files. These files can execute JavaScript payloads when accessed, leading to stored XSS attacks. The vulnerability can be exploited remotely, without authentication, and has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for unauthenticated stored cross-site scripting, where injected scripts are executed in the context of the user accessing the affected resource.

Reproduction

To reproduce this vulnerability, upload a malicious SVG file through the File Upload Endpoint. Once the file is uploaded, it will be stored in the media directory. Accessing the file via its URL will trigger the execution of the embedded JavaScript, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to the patched version of Givanz VvvebJs, which is available on the project's GitHub repository.