Stored cross-site scripting found in edit author page 

Issue date: 13-12-2021
Affects versions: 14.6

Security Issue ID

SECURITY-238

 

Affected Product Version(s)

14.6.3


Severity 

medium


Description

A stored cross-site scripting vulnerability was found. It was possible for an authenticated user to insert javascript actions inside an svg file. If an SVG file contains, unsafe Javascript related attributes, the file is not validated for uploading.

Before this fix svg's were checked for the presense of the "script" element and the "onload" attribute. No the svg's are checked for the following attributes as well:


"onbegin", "onend", "onrepeat", "onabort", "onerror", "onresize", "onscroll", "onunload", "oncopy", "oncut", "onpaste", "oncancel", "oncanplay", "oncanplaythrough", "onchange", "onclick", "onclose", "oncuechange", "ondblclick", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "ondurationchange", "onemptied", "onended", "onerror", "onfocus", "oninput", "oninvalid", "onkeydown", "onkeypress", "onkeyup", "onload", "onloadeddata", "onloadedmetadata", "onloadstart", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onpause", "onplay", "onplaying", "onprogress", "onratechange", "onreset", "onresize", "onscroll", "onseeked", "onseeking", "onselect", "onshow", "onstalled", "onsubmit", "onsuspend", "ontimeupdate", "ontoggle", "onvolumechange", "onwaiting", "onactivate", "onfocusin", "onfocusout"

Apart from that svg's with a javascript url in the style element cannot be uploaded anymore.

These additional checks required actual parsing of the svg instead of text search, making the checks more precise. Before this fix a svg with an occurance of  "onload" could not be uploaded, now that occurance has to be a attribute.

Instructions

Customers are recommended to upgrade to the latest release versions as indicated above. This can be done by incrementing the version number of the parent POM for the implementation project.

Credit for discovering this issue

Valentin Larion