Cross-site Scripting with user-uploaded files in dhis2-core

Vulnerability

An authenticated user in DHIS2 (versions 2.35, 2.36, 2.37, 2.38, and 2.39) can upload a file containing embedded JavaScript through various features. The uploaded file, when opened by another authenticated user in a browser, triggers the malicious script, resulting in a stored cross-site scripting (XSS) vulnerability. The file is served from endpoints such as /documents/, /fileResources/, /events/files, /dataValues/files, /externalFileResources/, /trackedEntityInstances/, and /messageConversations/. The vulnerable versions are 2.36.x before 2.36.12.1, 2.37.x before 2.37.8.1, 2.38.x before 2.38.2.1, and 2.39.x before 2.39.0.1 [2].

Exploitation

The attacker must be an authenticated user with the ability to upload files via DHIS2 features. After uploading a crafted file containing JavaScript, the attacker tricks another authenticated user into opening the file in a browser (e.g., via social engineering or by sharing a link). No further privileges or complex race conditions are required; the file access itself triggers script execution [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to data theft, session hijacking, defacement, or other actions the victim can perform within DHIS2, potentially compromising sensitive health information managed by the system [2].

Mitigation

Fixed versions are 2.36.12.1, 2.37.8.1, 2.38.2.1, and 2.39.0.1. Administrators should upgrade immediately. For users unable to upgrade, a workaround exists: add the CSP header script-src 'none' to the vulnerable endpoints listed in the GHSA. Example configurations for nginx and Apache reverse proxies are provided in the advisory [2]. This workaround blocks all JavaScript execution on those endpoints, mitigating the XSS risk [1].