Skip to content

File Upload Vulnerability Leading to XSS in LinkAce v1.15.5

High
Kovah published GHSA-2wvv-4576-8862 Dec 27, 2024

Package

LinkAce

Affected versions

< v1.15.5

Patched versions

1.15.6 (if patched)

Description

Summary

A file upload vulnerability exists in the LinkAce web application (v1.15.5). This issue occurs in the "Import Bookmarks" functionality, where malicious HTML files can be uploaded containing JavaScript payloads. These payloads execute when the uploaded links are accessed, leading to potential reflected or persistent XSS scenarios.

Details

The vulnerability arises because the application does not properly validate or sanitize the content of uploaded HTML files. An attacker can embed JavaScript payloads into the bookmarks file, which are reflected back and executed in the victim’s browser.

PoC

Detailed POC is attached for your perusal.

LinkAce_FileUpload_XSS_Report.pdf

Attacker can embed JavaScript payloads into the bookmarks file, which are reflected back and executed in the victim’s browser.

  1. Create an HTML file (payload.html) with the content shown above.
  2. Navigate to the "Import Bookmarks" page in LinkAce.
  3. Upload the malicious HTML file.
  4. Access the uploaded bookmarks link in the "All Links" section.
  5. Observe the execution of the JavaScript payload, such as cookie theft or arbitrary JavaScript execution.
    Example of malicious HTML file content:
<!DOCTYPE NETSCAPE-Bookmark-file-1>
<!-- This is an automatically generated file.
     It will be read and overwritten.
     DO NOT EDIT! -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<TITLE>Bookmarks</TITLE>
<H1>Bookmarks</H1>
<DL><p>
    <DT><H3 ADD_DATE="1693937296" LAST_MODIFIED="1735062757" PERSONAL_TOOLBAR_FOLDER="true">Bookmarks bar</H3>
    <DL><p>
        <!-- Payload 1: Simple XSS -->
        <DT><A HREF="javascript:alert('XSS 1 - Document Cookie: ' + document.cookie);" ADD_DATE="1735062736">Simple XSS Alert</A>
        
    </DL><p>
</DL><p>

Impact

This vulnerability allows attackers to:

Execute arbitrary JavaScript in the victim’s browser.
Steal session cookies and impersonate users.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

CVE ID

CVE-2024-56508

Weaknesses

Credits