makeplane
[bug]: Insecure File Upload leads to XSS
Is there an existing issue for this?
- [X] I have searched the existing issues
Current behavior
When I upload an SVG image file into a plane issue, I would assume that it is either blocked or the SVG content is sanitized before being uploaded and available to others.
However, uploading an SVG image file with XSS payload is allowed and not sanitized. Therefore, introducing a potential Stored Cross-Site Scripting (XSS) vulnerability.
This issue may be linked to https://github.com/makeplane/plane/issues/1988
Steps to reproduce
- Log into plane
- Create an issue or select a pre-existing one
- Upload an SVG image file with an XSS payload
- Open the uploaded SVG image and observe XSS popup
An example SVG svg-xss-xml.svg file would be:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">
alert('XSS-Vulnerability-SVG');
</script>
</svg>
After uploading and browsing the file, the XSS payload will popup, yielding the string "XSS-Vulnerability-SVG".
Either properly sanitize and restrict file uploads or allow attachment downloads only (no rendering in browsers itself).
Browser
Mozilla Firefox
Version
Self-hosted
Also ensure to set cookie flags like SameSite and HttpOnly for the cookies refreshToken and accessToken.
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
Is this issue still open? anyone working on it?
I've never heard back. Would assume this is still an issue.