CVE-2024-28147
📋 TL;DR
This vulnerability allows authenticated users to upload malicious files in edu-sharing's collection preview image upload function. Attackers can upload HTML files with JavaScript for stored XSS attacks or SVG files with nested XML entities for DoS attacks. It affects edu-sharing versions before 8.0.8-RC2, 8.1.4-RC0, and 9.0.0-RC19.
💻 Affected Systems
- edu-sharing
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the victim, or conducting DoS attacks via XML entity expansion.
Likely Case
Authenticated attackers uploading malicious files that execute when other users view collection previews, leading to session hijacking or limited DoS.
If Mitigated
If proper file type validation and content sanitization are implemented, the risk is reduced to minimal with only legitimate file uploads allowed.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once access is obtained. Public exploit details are available in disclosure references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: edu-sharing 8.0.8-RC2, 8.1.4-RC0, 9.0.0-RC19 or later
Vendor Advisory: http://seclists.org/fulldisclosure/2024/Jun/11
Restart Required: Yes
Instructions:
1. Identify your edu-sharing version. 2. Upgrade to patched version: 8.0.8-RC2, 8.1.4-RC0, or 9.0.0-RC19+. 3. Restart the application server. 4. Verify the fix by testing file upload functionality.
🔧 Temporary Workarounds
Restrict file upload types
allConfigure web application firewall or server-side validation to only allow safe image file types (JPG, PNG, GIF) and block HTML/SVG uploads.
Disable collection preview image upload
allTemporarily disable the vulnerable upload function until patching is complete.
🧯 If You Can't Patch
- Implement strict file type validation on the server side to reject HTML and SVG files.
- Apply Content Security Policy headers to mitigate XSS impact and monitor upload logs for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if authenticated users can upload HTML or SVG files to the collection preview image upload endpoint and if those files are served without proper sanitization.Check Version:
Check edu-sharing application configuration or admin interface for version information.Verify Fix Applied:
Attempt to upload HTML/SVG files after patching; they should be rejected or properly sanitized. Verify version is 8.0.8-RC2, 8.1.4-RC0, or 9.0.0-RC19+.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads (HTML/SVG) to collection preview endpoints
- Multiple failed upload attempts
- Requests to uploaded HTML/SVG files
Network Indicators:
- HTTP POST requests with file uploads to vulnerable endpoints
- Subsequent GET requests to uploaded malicious files
SIEM Query:
source="web_server" AND (uri="/edu-sharing/upload" OR uri LIKE "%.html" OR uri LIKE "%.svg") AND status=200