CVE-2024-50344

I, Librarian (Free) - Stored XSS

I, Librarian is an open-source version of a PDF managing SaaS.

Supplemental Files are allowed to be viewed in the browser, only if they have a white-listed MIME type. Unfortunately, this logic is broken, thus allowing unsafe files containing Javascript to be executed with the application context. An attacker can exploit this vulnerability by uploading a supplementary file that contains a malicious code or script. This code will then be executed when the file is loaded in the browser.

The vulnerability was fixed in version 5.11.2.

Steps to Reproduce

1. Login and upload a malicious HTML file containing any JavaScript payload.

2. Exploit the file download functionality to display any file inside the browser by injecting the response's Content-Disposition header.

3. To do that, navigate to the malicious HTML supplement file and edit the download link by adding the extra parameter "&disposition", without even specifying any value for it.

4. This causes the web application's response to set the Content-Disposition header's value to inline.

References

• https://github.com/mkucej/i-librarian-free

• https://nvd.nist.gov/vuln/detail/CVE-2024-50344

• https://github.com/mkucej/i-librarian-free/security/advisories/GHSA-c2rm-w62w-5xmj

• https://i-librarian.net/