Headline
CVE-2022-23065: fix(asset-server-plugin): Fix svg XSS vulnerability · vendure-ecommerce/vendure@69a4486
In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.
@@ -212,6 +212,7 @@ export class AssetServerPlugin implements NestModule, OnApplicationBootstrap {
mimeType = (await fromBuffer(file))?.mime || 'application/octet-stream’;
}
res.contentType(mimeType);
res.setHeader('content-security-policy’, `default-src 'self’`);
res.send(file);
} catch (e) {
const err = new Error(‘File not found’);
@@ -251,6 +252,7 @@ export class AssetServerPlugin implements NestModule, OnApplicationBootstrap {
Logger.debug(`Saved cached asset: ${cachedFileName}`, loggerCtx);
}
res.set('Content-Type’, `image/${(await image.metadata()).format}`);
res.setHeader('content-security-policy’, `default-src 'self’`);
res.send(imageBuffer);
return;
} catch (e) {