Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Arbitrary Image Upload + XSS Via Image Name #151

Open
jeagercoder opened this issue Nov 30, 2021 · 2 comments
Open

Vulnerability Arbitrary Image Upload + XSS Via Image Name #151

jeagercoder opened this issue Nov 30, 2021 · 2 comments

Comments

@jeagercoder
Copy link

https://github.com/pylixm/django-mdeditor/blob/master/mdeditor/views.py

1.no authentication check so anyone can upload image file
2.Name of uploaded file is not cleaned so it is vulnerable to XSS attack, one can upload file with name like: "><script>alert(1)</script>
@pylixm
Copy link
Owner

pylixm commented Dec 1, 2021

@zonefteam Thank you for your reminder, I will fix it later.

Before releasing the new version, I hope everyone can check whether the problem will bring security risks to their services.

@pylixm pylixm pinned this issue Dec 1, 2021
@jeagercoder
Copy link
Author

of course because it is a security vulnerability.

  1. arbitrary file upload
    2, XSS stored

in our community there are some people who use django mdeditor, after I told them they immediately disabled the vulnerable upload feature

@lenoctambule lenoctambule mentioned this issue Oct 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pylixm @jeagercoder