Source: cna@vuldb.com
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. It has been declared as problematic. Affected by this vulnerability is the function run of the file actions/UploadAction.php. The manipulation of the argument file leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.1.9 is able to address this issue. The identifier of the patch is c00d1e4fc912257fca1fce66d7a163bdbb4c8222. It is recommended to upgrade the affected component. The identifier VDB-217141 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2017-20158 exposes a Cross-Site Scripting (XSS) vulnerability in the vova07 Yii2 FileAPI Widget versions up to 0.1.8, allowing attackers to inject malicious scripts into web pages. This vulnerability, residing within the UploadAction.php file, can lead to compromised user sessions and data theft. The vendor has provided a patch in version 0.1.9, but the product is no longer supported, increasing the risk.
Step 1: Payload Delivery: The attacker crafts a malicious filename containing JavaScript code (e.g., <script>alert('XSS')</script>).
Step 2: File Upload: The attacker uploads a file with the crafted malicious filename using the vulnerable vova07 Yii2 FileAPI Widget.
Step 3: Server-Side Processing: The UploadAction.php script processes the uploaded file, likely storing the filename in a database or displaying it on a web page.
Step 4: Insufficient Sanitization: The application fails to properly sanitize or encode the malicious filename before displaying it.
Step 5: XSS Execution: When a legitimate user views the web page where the filename is displayed, the browser interprets the injected JavaScript code, executing the attacker's payload.
The vulnerability stems from insufficient input validation and output encoding within the run function of UploadAction.php in the vova07 Yii2 FileAPI Widget. Specifically, the application fails to properly sanitize user-supplied input related to the uploaded file's metadata (e.g., filename). This allows an attacker to inject malicious JavaScript code into the filename, which is then rendered within the web page. When a user views the page containing the malicious filename, the injected JavaScript executes in their browser, leading to XSS. The root cause is a lack of proper input sanitization and output encoding (e.g., HTML escaping) of the filename before it is displayed. This allows the attacker to bypass security measures and inject arbitrary HTML/JavaScript.
While no specific APTs are directly linked to this vulnerability, the ease of exploitation makes it attractive to various threat actors. This type of vulnerability is often used in phishing campaigns and as a stepping stone for further attacks. Not on CISA KEV due to the end-of-life status of the affected product.
Analyze web server logs for suspicious file uploads with unusual filenames (e.g., filenames containing <script> tags or other HTML entities).
Monitor network traffic for requests containing potentially malicious JavaScript code in the Content-Disposition header or other HTTP headers related to file uploads.
Implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts, specifically targeting file upload functionality.
Use a Content Security Policy (CSP) to restrict the execution of inline scripts and scripts from untrusted sources.
Upgrade to version 0.1.9 or later (if possible, though the product is unsupported).
Implement robust input validation to sanitize all user-supplied data, especially filenames, before processing or storing them.
Implement output encoding (e.g., HTML escaping) to prevent the execution of malicious code when displaying user-supplied data.
If the widget is no longer needed, remove it from the application.
If the widget must be used, consider replacing it with a supported and secure alternative.
Implement a WAF to filter malicious requests.