** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. It has been declared as problematic. Affected by this vulnerability is the function run of the file actions/UploadAction.php. The manipulation of the argument file leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.1.9 is able to address this issue. The identifier of the patch is c00d1e4fc912257fca1fce66d7a163bdbb4c8222. It is recommended to upgrade the affected component. The identifier VDB-217141 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2017-20158 exposes a Cross-Site Scripting (XSS) vulnerability in the vova07 Yii2 FileAPI Widget versions up to 0.1.8, allowing attackers to inject malicious scripts into web pages. This vulnerability, located in the UploadAction.php file, can lead to compromise of user sessions and data theft. The vendor has provided a patch in version 0.1.9, but the product is no longer supported, increasing the risk of exploitation.
Step 1: Payload Delivery: The attacker crafts a malicious payload, typically JavaScript code, and embeds it within the filename or other upload parameters when interacting with the FileAPI widget's upload functionality.
Step 2: File Upload: The attacker uploads a file with the crafted payload. The vulnerable UploadAction.php processes the upload.
Step 3: Insufficient Sanitization: The run function within UploadAction.php fails to properly sanitize or encode the filename or other upload parameters containing the malicious payload.
Step 4: Data Storage: The uploaded file and its associated metadata (including the malicious filename) are stored on the server.
Step 5: Data Retrieval/Display: When a user views a page that displays the uploaded file information (e.g., a list of uploaded files), the vulnerable code retrieves the unsanitized data from the server.
Step 6: Payload Execution: The unsanitized filename containing the malicious JavaScript is rendered in the user's browser without proper escaping. This causes the attacker's JavaScript payload to execute within the context of the user's session, leading to XSS.
The vulnerability stems from insufficient input validation and output encoding within the run function of UploadAction.php in the vova07 Yii2 FileAPI Widget. Specifically, the code fails to properly sanitize user-supplied input related to file uploads, allowing an attacker to inject malicious JavaScript code into the filename or other upload-related parameters. When this data is later displayed on a web page without proper escaping, the injected script executes in the user's browser, leading to XSS. The root cause is the lack of proper input validation and output encoding (e.g., HTML escaping) of the file-related data before it's rendered in the browser. This allows for the injection of arbitrary HTML and JavaScript.