CVE-2024-48448

Overview

CVE-2024-48448 describes an arbitrary file upload vulnerability in Huly Platform version 0.6.295. The flaw resides in the tracker comments page, where the platform does not properly sanitize or restrict the types of files that can be uploaded. An attacker can upload a specially crafted HTML file containing malicious script code as an attachment to a comment [1].

Exploitation

To exploit this vulnerability, an attacker needs access to an Huly instance and must be able to view or create comments on any issue in the Tracker page. The upload mechanism accepts arbitrary file types, including .html, and the uploaded file is later served to other users. When a victim views the comment containing the malicious file—or clicks a link pointing to it—the embedded script executes in the context of the victim's browser session [1]. No authentication beyond a standard user account is required to upload files.

Impact

Successful exploitation results in stored cross-site scripting (XSS). The attacker's script runs in the browser of any user who loads the affected comment, potentially allowing theft of session cookies, manipulation of the page content, or other actions performed with the victim's privileges within the Huly application. This can lead to further compromise of user accounts or data [1].

Mitigation

At the time of publication, no official patch has been released by Huly. Users should restrict file upload capabilities, implement server-side validation of file types, and ensure that uploaded files are served with appropriate Content-Type headers and not interpreted as HTML. Administrators are advised to monitor vendor updates for a security fix [1].