Stored XSS via File Upload
A stored cross-site scripting (XSS) vulnerability was discovered in the file upload function of the latest version of the software. This issue was patched in version 20240410.
Threat Overview
The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code. When a user accesses the uploaded file, the malicious script is executed in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious activities.
Attack Scenario
An attacker uploads a malicious HTML file containing JavaScript code to the application. When another user accesses the uploaded file via a provided URL, the malicious script executes in the user's browser, allowing the attacker to perform actions such as stealing cookies, session tokens, or other sensitive information.
Who is affected
Users of the latest version of the software who access files uploaded by other users are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.