CVE-2024-12665 - Stored Cross-Site Scripting (XSS) via Project Task Comment SVG Upload in ruifang-tech Rebuild 3.8.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in Rebuild 3.8.5 through the project task comment attachment upload functionality. Attackers can upload a crafted SVG file containing malicious JavaScript. When a victim views the uploaded SVG, the embedded script is executed in the victim's browser.
Project task comment attachment upload functionality
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Allows execution of malicious scripts when the uploaded SVG file is rendered everytime a project task is viewed.
- Navigate to the project task comments section in Rebuild 3.8.5.
- Upload an SVG file with an onload attribute followed by an arbitrary script to be executed within a viewer's browser.
- Save the comment with the uploaded SVG attachment.
- When any user (or admin) views the comment and the SVG is rendered, the embedded script will execute, triggering an alert.
The application fails to properly validate or sanitize uploaded files. SVG files are treated as images but can contain executable scripts, allowing attackers to inject malicious code.
- Restrict File Types: Disallow SVG uploads or strictly validate uploaded files to ensure they do not contain potentially harmful scripts.
- Content Security Policy (CSP): Implement a robust CSP to block inline scripts and unauthorized resource execution.
- Sanitize SVG Files: Use a library or tool to sanitize uploaded SVG files by removing any scriptable or malicious elements.
- Encode Attachments: Render attachments as downloads instead of embedding them directly into the page.