Listen to this Post
How the CVE Works:
The vulnerability exists in the `/files` endpoint of CUBA Platform’s REST API (versions <7.2.7). Attackers can manipulate the file path parameter to force the server to return a `Content-Type: text/html` header when the filename ends with .html. If a malicious file containing JavaScript is uploaded, the browser executes it due to improper content-type validation. This stored XSS attack requires authentication, reducing its severity. The flaw occurs because the API fails to sanitize user-supplied filenames and enforce correct MIME types.
DailyCVE Form:
Platform: CUBA Platform
Version: <7.2.7
Vulnerability: Stored XSS
Severity: Moderate
Date: Apr 22, 2025
What Undercode Say:
Exploitation:
1. Upload Malicious File:
curl -X POST -F "[email protected]" -H "Authorization: Bearer <token>" https://target.com/api/files
2. Trigger XSS:
<img src="https://target.com/api/files/../malicious.html" onerror="alert('XSS')">
Protection:
1. Patch: Upgrade to REST API add-on 7.2.7.
2. Disable Endpoint: Remove `/files` from API routes.
3. Content-Type Enforcement:
response.setHeader("Content-Type", "text/plain"); // Force non-HTML
4. Input Sanitization:
String sanitized = filename.replaceAll("[^a-zA-Z0-9.-]", "");
Detection:
1. Scan for .html Files:
grep -r ".html" /api/files/
2. Check Headers:
curl -I https://target.com/api/files/uploaded.html | grep "Content-Type"
Analytics:
- Attack Surface: Authenticated users only.
- Exploitability: Medium (requires file upload).
- CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
