GHSA-2hw3-h8qx-hqqp

Описание

XSS via .py file containing script tag interpreted as HTML

Summary

A vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.

Affected Versions

• <= 4.0.0-rc.3

PoC

Create a .py file with arbitrary JavaScript content wrapped in <script> tags. For example:

When a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context.

---

Attack vector

An attacker can place such a .py file in the system via remote channels, such as:

• Convincing a webmaster to download or upload the file;
• Tricking users into accessing a file link via public URLs.

Required permissions

• None, if public or visitor access is enabled.
• If the file is uploaded by a user with elevated permissions, potential privilege boundaries may be crossed.

User interaction

Yes. The user must manually click to switch to the browsing or preview mode to trigger the script. And seems only when using ISO-8859-1 encoding.

Scope

• Unchanged (S:U) - The attack does not cross system or privilege boundaries in general.
• ⚠️ Controversial edge case: If sensitive preview files are accessible due to misconfiguration, scope could be considered Changed (S:C).

Impact

• Confidentiality: User information including cookies, login state, and localStorage may be accessed. Some files that only can be viewed via this user will leak too.
• Integrity & Availability: Not directly impacted.

---

Recommendations

• Treat all previewed file types (including non-HTML like .py) as plain text unless explicitly sanitized.
• Disable rendering modes that can interpret user-uploaded content as HTML.

Timeline

Credits

• Discovered by: @zyk2507
• Reported to: The OpenList Team
• Analyzed and confirmed by: @jyxjjj
• Fixed by: @cxw620
• Fixed in: 4.0.0-rc.4