Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVEs/CVE-2021-25278/
CVEs/CVE-2021-25278/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

FTAPI Stored XSS (via Submit Box Template)

A stored Cross-Site Scripting (XSS) vulnerability in the submit box layout editor of the “FTAPI” file exchange web application allows an attacker to upload SVG files with embedded JavaScript. This may allow a malicious entity to compromise the session of a victim by tricking them into visiting the uploaded file.

The vulnerability was reported as CVE-2021-25278.

Versions affected: FTAPI 4.X < 4.11

Figure 1: Vulnerable background image upload in the submit box layout editor

Figure 1: Vulnerable background image upload in the submit box layout editor

Background

A user with administrative rights may be able to upload a malicious SVG file with embedded JavaScript via the background image file upload of the submit box layout editor. This could lead to XSS once the file is visited by a victim user.

Steps to Reproduce

By uploading the following SVG file as a background image, an alert is triggered:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('XSS');
   </script>
</svg>

The uploaded file is saved in the public „/api/2/staticfile/“ directory and leads to XSS once it is viewed:

Figure 2: Stored XSS through an uploaded malicious SVG file

Figure 2: Stored XSS through an uploaded malicious SVG file

Root Cause

This issue exists due to insufficient input filtering in the background image file upload. To mitigate the issue, we recommend disallowing the upload of SVG files. Alternatively, SVG sanitization or image conversion (e.g., to PNG) should be implemented.

Fix

All software versions of the 4.X branch < version 4.11 are affected. The vendor was informed of the finding on January 1, 2021. The vulnerability is fixed with version 4.11 which is available here: https://docs.ftapi.com/display/RN/4.11.0