Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the file storage component of BTCPay Server versions prior to 1.7.6. An attacker can upload a file containing malicious JavaScript code, which is then stored on the server. When other users, such as administrators, view or download the file, the injected script executes in their browser context. The vulnerability is addressed in commit d4e464ad4ef0cbbf61751e70f77865de325dd6cf [1].

Exploitation

To exploit this vulnerability, an attacker must have the ability to upload files to the BTCPay Server instance, typically as a merchant or user with file upload permissions. The attacker crafts a file with a malicious payload embedded in the filename or file content. When an administrator or other user accesses the uploaded file (e.g., via a direct link or preview), the browser executes the injected script. No additional user interaction beyond viewing the file is required [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of authentication tokens, session hijacking, defacement, or other actions performed on behalf of the victim. The impact is limited to the browser session of the user who views the malicious file, but could be used to escalate privileges or access sensitive data within the BTCPay Server application.

Mitigation

The vulnerability is fixed in BTCPay Server version 1.7.6, released on or before February 8, 2023. Users should upgrade to version 1.7.6 or later immediately. No workarounds are documented; upgrading is the recommended mitigation [1][2].