CVE-2022-45144

Vulnerability

Algoo Tracim versions before 4.4.2 (and possibly later versions until fixed in 4.11.1) contain a stored cross-site scripting (XSS) vulnerability in the file upload functionality. The application allows users to upload HTML files, which are then rendered in the context of the application without proper sanitization. Additionally, the comments feature, which normally blocks XSS via a Content Security Policy (CSP), can be bypassed using HTML injection. The vulnerability exists because uploaded HTML files are served from the same origin, enabling script execution. [1]

Exploitation

An attacker needs an account with file upload permissions on a Tracim instance. The attacker uploads a malicious HTML file containing JavaScript. When other users view the uploaded file (e.g., via a raw link like /api/workspaces/1/files/19/raw/test.html), the browser executes the embedded script because the file is served from the same origin. The CSP normally restricts script execution, but the advisory notes that the CSP can be bypassed via HTML injection in the comments feature, though the primary vector is the direct HTML file upload. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, impersonation, data exfiltration, or other actions performed as the victim user. The impact is high as it can compromise the confidentiality and integrity of user data and actions within the Tracim platform. [1]

Mitigation

The vulnerability was initially reported in November 2022 and was fixed in Tracim version 4.4.2 (as per the CVE description). However, the advisory later notes that the vendor confirmed the fix in version 4.11.1 (as of October 2024). Users should upgrade to at least version 4.4.2, but preferably to 4.11.1 or later. No workarounds are mentioned in the references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing. [1][2]