CVE-2024-28147 in edu-sharing
Summary
by MITRE • 06/20/2024
An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of the collection preview image (Stored Cross Site Scripting). It is also possible to upload SVG files that include nested XML entities. Those are parsed when a user visits the direct URL of the collection preview image, which may be utilized for a Denial of Service attack.
This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/22/2025
This vulnerability represents a critical security flaw in the edu-sharing platform that enables authenticated users to execute stored cross-site scripting attacks through malicious file uploads. The vulnerability stems from insufficient input validation and sanitization within the collection preview image upload functionality, creating a persistent security weakness that can be exploited by attackers who have already gained authentication credentials. The flaw allows adversaries to upload files that will be executed when legitimate users access the direct URL of the uploaded preview images, fundamentally compromising the integrity of the platform's user interactions.
The technical implementation of this vulnerability involves two primary attack vectors that leverage different aspects of web application security. The first vector enables stored cross-site scripting through HTML file uploads containing malicious javascript code that executes in the context of authenticated users' browsers. This follows the CWE-079 pattern of insufficient input validation for cross-site scripting attacks, where user-supplied data is directly embedded into web pages without proper sanitization or encoding. The second vector exploits XML entity parsing through SVG file uploads that contain nested XML entities, which are processed when the image is accessed, potentially leading to denial of service conditions. This relates to CWE-611 issues involving insufficient protection against XML external entity attacks and demonstrates how XML parsing can be weaponized for resource exhaustion attacks.
The operational impact of this vulnerability extends beyond simple XSS exploitation, as it creates persistent attack surfaces that can be leveraged for various malicious activities. An attacker who successfully uploads malicious content can potentially steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users within the application context. The denial of service component adds another dimension of risk, as the XML entity parsing can consume excessive system resources and potentially cause application instability or unavailability. This vulnerability affects multiple versions of the edu-sharing platform, specifically those below 8.0.8-RC2, 8.1.4-RC0, and 9.0.0-RC19, indicating a widespread issue that requires immediate attention across affected deployments.
Organizations utilizing edu-sharing platforms should implement immediate mitigations to address this vulnerability, including implementing strict file type validation and content sanitization for all uploaded files. The recommended approach involves enforcing MIME type checking, implementing file extension restrictions, and applying comprehensive content sanitization to prevent the execution of malicious code within uploaded files. Additionally, implementing proper access controls and privilege separation can limit the impact of successful exploitation attempts. Security teams should also consider deploying web application firewalls and monitoring for suspicious upload activities. From an ATT&CK framework perspective, this vulnerability aligns with techniques involving command and control communication and privilege escalation through web application exploitation, making it a critical target for immediate remediation and ongoing security monitoring to prevent potential compromise of user sessions and system availability.