Executive Summary

This vulnerability in Wekan up to version 18.15 allows uploaded attachments to be served with an attacker-controlled Content-Type such as text/html. This enables execution of attacker-supplied HTML and JavaScript within the application's origin, leading to stored Cross-Site Scripting (XSS). As a result, attackers can steal user sessions or tokens and perform Cross-Site Request Forgery (CSRF) actions. The issue was fixed in version 18.16 by enforcing strict content validation, blocking inline rendering of dangerous files, forcing downloads with safe headers, and improving file handling to prevent execution of malicious code. [3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to serious security impacts including theft of user sessions or authentication tokens, allowing attackers to impersonate users. It also enables Cross-Site Request Forgery (CSRF) attacks, which can cause unauthorized actions on behalf of users. Essentially, an attacker can execute malicious scripts in the context of the Wekan application, compromising user data and potentially the integrity of the application environment. [3, 4]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if your Wekan instance is running a version prior to 18.16, as versions up to 18.15 are affected. Additionally, monitoring attachment uploads for Content-Type headers set to text/html or other dangerous MIME types (e.g., application/javascript, image/svg+xml) can indicate exploitation attempts. Since the vulnerability allows execution of attacker-supplied HTML/JS via attachments, you can inspect HTTP responses for attachments served with unsafe Content-Type headers. Commands to detect such issues could include using curl or wget to fetch attachments and inspecting headers, for example: curl -I https://your-wekan-instance/attachment-url | grep Content-Type. Also, reviewing logs for attachment uploads with suspicious MIME types or scanning uploaded files for embedded scripts can help. However, no specific detection commands are provided in the resources. [4, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Wekan to version 18.16 or later, where this vulnerability is fixed. The fix enforces forced download of attachments with safe HTTP headers (Content-Type: application/octet-stream, Content-Disposition: attachment, X-Content-Type-Options: nosniff) to prevent inline rendering and execution of malicious content. It also blocks SVG uploads, improves file validation to detect dangerous MIME types and embedded scripts, and enhances file handling to serve attachments securely. Until upgrade, you should restrict or disable attachment uploads, especially those with potentially dangerous MIME types, and monitor for suspicious activity related to attachments. [2, 4, 3]

Useful 0 Not Useful 0