CVE-2022-0472: Unrestricted Upload of File with Dangerous Type in laracom

Description

Hi there, I would like to report a vulnerability that allows a hacker to upload dangerous file type in jsdecena/laracom.

Attacker must have an account with permission to Edit Product (E.g. Clerk role).

Then, he can upload malcious file with extensions such as html, svg,… which leads to XSS.

Proof of Concept

• ​After login, go to Products / List Products, click on Actions / Edit.

• In Cover or Images fields, upload html files with xss payload inside. For example: <script> alert(document.cookie) </script>.

• Click on update button to save.

• Demo Video: https://drive.google.com/file/d/1BsfbHp1I47E02ZKaa6ZhcjmHMxD6Jho4/view?usp=sharing

Impact

This vulnerability is capable of uploading dangerous file to serve