Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in BTCPay Server versions prior to 1.7.11. The flaw resides in the static file upload functionality, where user-supplied file names or content are not properly sanitized before being served to other users. This allows an attacker to upload a file containing malicious JavaScript that executes in the context of any user viewing the uploaded file [1][2].

Exploitation

An attacker must have the ability to upload files to the BTCPay Server instance (e.g., as a merchant or admin with file upload permissions). The attacker crafts a file with a payload embedded in the filename or content, such as a specially crafted SVG or HTML file. When other users access the uploaded file (e.g., via a direct link or through the UI), the malicious script executes in their browser [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data (e.g., API keys, payment information), defacement, or further attacks against other users of the BTCPay Server instance [1][2].

Mitigation

The vulnerability is fixed in BTCPay Server version 1.7.11, released on 2023-02-13. The fix strengthens Content Security Policy (CSP) rules on static file uploads to prevent script execution [1]. Users should upgrade to version 1.7.11 or later. No workaround is documented in the available references [2].