Overview
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.
Details
Publify is vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.
PoC Details
In incognito mode, sign in with Alice, a “publisher” role user. Browse to the “admin/resources” endpoint and upload a malicious file (we’ll call it “hello.html”), with malicious content..
On another window, login as an admin and access the “files/resource/__/hello.html” endpoint. The payload gets triggered.
Affected Environments
Publify versions 8.0 to 9.2.4
Prevention
Update to Publify version v9.2.5