Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in BTCPayServer versions prior to 1.7.12. The application's file upload functionality did not validate the actual content type of uploaded files, relying solely on file extensions or MIME types. This allowed an attacker to upload files such as SVG images containing embedded JavaScript, which would be stored and later rendered in a browser without proper sanitization [1][2].

Exploitation

An attacker with the ability to upload files (e.g., as part of store configuration, invoice attachments, or other features) can craft a malicious file, such as an SVG with an embedded `` tag. The file is uploaded and stored on the server. When a victim views the uploaded file (e.g., by visiting a page that displays the file), the browser executes the embedded script in the context of the BTCPayServer application [2]. No special authentication is required if the upload endpoint is publicly accessible.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to theft of session cookies, unauthorized actions on behalf of the victim, defacement of the application interface, or exfiltration of sensitive data displayed on the page [2].

Mitigation

The vulnerability is fixed in BTCPayServer version 1.7.12. The fix introduces a FileTypeDetector class that validates file content by checking magic bytes (file signatures) for common image formats, rejecting files that do not match expected signatures [1]. Users should upgrade to version 1.7.12 or later. No workaround is documented for unpatched versions.